CVE-2024-36610

NameCVE-2024-36610
DescriptionA deserialization vulnerability exists in the Stub class of the VarDumper module in Symfony v7.0.3. The vulnerability stems from deficiencies in the original implementation when handling properties with null or uninitialized values. An attacker could construct specific serialized data and use this vulnerability to execute unauthorized code.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)bullseye4.4.19+dfsg-2+deb11u6vulnerable
bookworm5.4.23+dfsg-1+deb12u2vulnerable
bookworm (security)5.4.23+dfsg-1+deb12u4vulnerable
trixie6.4.15+dfsg-1fixed
sid6.4.16+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysource(unstable)6.4.4+dfsg-3

Notes

Fixed by: https://github.com/symfony/symfony/commit/3ffd495bb3cc4d2e24e35b2d83c5b909cab7e259 (v6.4.4)

Search for package or bug name: Reporting problems