-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the insecure deserialization of cookie data. The advisory GHSA-98j6-67v3-mw34 for auth0/symfony states that it's affected due to its dependency on auth0/auth0-php (versions 8.0.0-BETA3 to 8.3.0), which has a corresponding advisory GHSA-v9m8-9xxp-q492. The patched version for auth0/symfony is 5.1.0, and for auth0/auth0-php is 8.3.1. The commit history for auth0/symfony between versions 5.0.0 and 5.1.0 does not reveal direct changes to cookie handling or deserialization logic. This strongly indicates that the actual vulnerable code and the subsequent fix reside within the auth0/auth0-php library. Without the specific commit(s) from auth0/auth0-php that patched this deserialization vulnerability, it is not possible to pinpoint the exact vulnerable functions. The functions at risk would be those in auth0/auth0-php responsible for reading and deserializing cookie data, which are then utilized by auth0/symfony.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| auth0/symfony | composer | >= 5.0.0-BETA0, <= 5.0.0 | 5.1.0 |
PHPPHPOngoing coverage of React2Shell