laravel/framework-v8.1.0: 7 vulnerabilities (highest severity is: 9.8) #8
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659
Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - laravel/framework-v8.1.0
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659
Dependency Hierarchy:
Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1
Found in base branch: main
Vulnerability Details
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Publish Date: 2021-11-14
URL: CVE-2021-43617
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43617
Release Date: 2021-11-14
Fix Resolution: php-illuminate-session - 6.20.14+dfsg-2+deb11u1;php-illuminate-broadcasting - 6.20.14+dfsg-2+deb11u1;php-illuminate-config - 6.20.14+dfsg-2+deb11u1;php-illuminate-cookie - 6.20.14+dfsg-2+deb11u1;php-laravel-framework - 6.20.14+dfsg-2+deb11u1;php-illuminate-database - 6.20.14+dfsg-2+deb11u1;php-illuminate-translation - 6.20.14+dfsg-2+deb11u1;php-illuminate-support - 6.20.14+dfsg-2+deb11u1;php-illuminate-encryption - 6.20.14+dfsg-2+deb11u1;php-illuminate-hashing - 6.20.14+dfsg-2+deb11u1;php-illuminate-auth - 6.20.14+dfsg-2+deb11u1;php-illuminate-http - 6.20.14+dfsg-2+deb11u1;php-illuminate-mail - 6.20.14+dfsg-2+deb11u1;php-illuminate-view - 6.20.14+dfsg-2+deb11u1;php-illuminate-pipeline - 6.20.14+dfsg-2+deb11u1;php-illuminate-filesystem - 6.20.14+dfsg-2+deb11u1;php-illuminate-validation - 6.20.14+dfsg-2+deb11u1;php-illuminate-container - 6.20.14+dfsg-2+deb11u1;php-illuminate-notifications - 6.20.14+dfsg-2+deb11u1;php-illuminate-cache - 6.20.14+dfsg-2+deb11u1;php-illuminate-contracts - 6.20.14+dfsg-2+deb11u1;php-illuminate-routing - 6.20.14+dfsg-2+deb11u1;php-illuminate-queue - 6.20.14+dfsg-2+deb11u1;php-illuminate-redis - 6.20.14+dfsg-2+deb11u1;php-illuminate-bus - 6.20.14+dfsg-2+deb11u1;php-illuminate-log - 6.20.14+dfsg-2+deb11u1;php-illuminate-console - 6.20.14+dfsg-2+deb11u1;php-illuminate-pagination - 6.20.14+dfsg-2+deb11u1;php-illuminate-events - 6.20.14+dfsg-2+deb11u1
Vulnerable Library - league/flysystem-1.1.3
Filesystem abstraction: Many filesystems, one API.
Library home page: https://api.github.com/repos/thephpleague/flysystem/zipball/9be3b16c877d477357c015cec057548cf9b2a14a
Dependency Hierarchy:
Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1
Found in base branch: main
Vulnerability Details
Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.
Publish Date: 2021-06-24
URL: CVE-2021-32708
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-9f46-5r25-5wfm
Release Date: 2021-06-24
Fix Resolution: 1.1.4,2.1.1
Vulnerable Library - laravel/framework-v8.1.0
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659
Dependency Hierarchy:
Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1
Found in base branch: main
Vulnerability Details
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Publish Date: 2021-01-19
URL: CVE-2021-21263
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3p32-j457-pg5x
Release Date: 2021-01-19
Fix Resolution: v6.20.11,v7.30.2,v8.22.1
Vulnerable Library - symfony/http-kernel-v5.1.5
Symfony HttpKernel Component
Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3e32676e6cb5d2081c91a56783471ff8a7f7110b
Dependency Hierarchy:
Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1
Found in base branch: main
Vulnerability Details
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the
X-Forwarded-Prefixheaders, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing aX-Forwarded-Prefixheader, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that theX-Forwarded-Prefixheader is not forwarded to subrequests when it is not trusted.Publish Date: 2021-11-24
URL: CVE-2021-41267
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q3j3-w37x-hq2q
Release Date: 2021-11-24
Fix Resolution: v5.3.12
Vulnerable Library - symfony/http-kernel-v5.1.5
Symfony HttpKernel Component
Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3e32676e6cb5d2081c91a56783471ff8a7f7110b
Dependency Hierarchy:
Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1
Found in base branch: main
Vulnerability Details
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the
AbstractSessionListener, the response might contain aSet-Cookieheader. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.Publish Date: 2023-02-03
URL: CVE-2022-24894
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://symfony.com/blog/cve-2022-24894-prevent-storing-cookie-headers-in-httpcache
Release Date: 2022-02-11
Fix Resolution: v4.4.50, v5.4.20, v6.0.20, v6.1.12, v6.2.6
Vulnerable Library - laravel/framework-v8.1.0
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659
Dependency Hierarchy:
Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1
Found in base branch: main
Vulnerability Details
Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.
Publish Date: 2021-12-07
URL: CVE-2021-43808
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-66hf-2p6w-jqfw
Release Date: 2021-12-07
Fix Resolution: v6.20.42, v7.30.6, v8.75.0
Vulnerable Library - laravel/framework-v8.1.0
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659
Dependency Hierarchy:
Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1
Found in base branch: main
Vulnerability Details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-gv7v-rgg6-548h
Release Date: 2024-11-12
Fix Resolution: laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0
The text was updated successfully, but these errors were encountered: