Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
History

Sat, 21 Dec 2024 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 0.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}


Wed, 13 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Laravel
Laravel framework
CPEs cpe:2.3:a:laravel:framework:*:*:*:*:*:*:*:*
Vendors & Products Laravel
Laravel framework
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 12 Nov 2024 19:45:00 +0000

Type Values Removed Values Added
Description Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Title Laravel allows environment manipulation via query string
Weaknesses CWE-88
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-12T19:32:14.415Z

Updated: 2024-12-21T17:02:39.839Z

Reserved: 2024-11-06T19:00:26.396Z

Link: CVE-2024-52301

cve-icon Vulnrichment

Updated: 2024-12-21T17:02:39.839Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-12T20:15:14.087

Modified: 2024-12-21T17:15:18.207

Link: CVE-2024-52301

cve-icon Redhat

No data.