CVE-2024-50340: 
PHP vulnerability analysis and mitigation

The vulnerability (CVE-2024-50340) affects the symfony/runtime module of the Symfony PHP framework. When the register_argv_argc PHP directive is set to on, attackers can manipulate environment or debug mode settings through specially crafted query strings in URLs. The vulnerability was discovered by Vladimir Dusheyko and was patched in versions 5.4.46, 6.4.14, and 7.1.7 (GitHub Advisory).

The vulnerability exists in the symfony/runtime module when the PHP directive register_argv_argc is enabled. The issue allows attackers to manipulate the environment or debug mode used by the kernel during request handling through specially crafted query strings. The vulnerability has been assigned a CVSS v3.1 base score of 7.3 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility with low attack complexity and no required privileges or user interaction (GitHub Advisory).

The vulnerability can lead to unauthorized access to sensitive information and potential denial of service. Attackers can manipulate the application's environment settings and debug mode, potentially exposing sensitive system information or affecting the application's behavior (Ubuntu Notice).

The vulnerability has been patched in Symfony versions 5.4.46, 6.4.14, and 7.1.7. The fix involves the SymfonyRuntime now ignoring the argv values for non-CLI SAPIs PHP runtimes. All users are advised to upgrade to these patched versions. There are no known workarounds for this vulnerability (GitHub Advisory).