Affected versions

Symfony versions >=5.3, <5.4.47; >=6, <6.4.15; >=7, <7.1.8 of the Symfony Process component are affected by this security issue.

The issue has been fixed in Symfony 55.4.47, 6.4.15, and 7.1.8.

Description

Whan consuming a persisted remember-me cookie, symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.

Resolution

The PersistentRememberMeHandler class now ensures the submitted username is the cookie owner.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Moritz Rauch – Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

Symfony Blog

Read More