Affected versions
Symfony versions >=5.3, <5.4.47; >=6, <6.4.15; >=7, <7.1.8 of the Symfony Security-Http component are affected by this security issue.
The issue has been fixed in Symfony 5.4.47, 6.4.15, and 7.1.8.
Description
When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.
Resolution
The PersistentRememberMeHandler
class now ensures the submitted username is the cookie owner.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.