CVE-2024-52301
Last modified
CVE-2024-52301 is a high-severity vulnerability rated 8.7/10 on the CVSS scale. Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. EPSS estimates a 37.98% chance of exploitation in the next 30 days.
Description
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Laravel | Framework | < 6.20.45 |
| Laravel | Framework | >= 7.0.0, < 7.30.7 |
| Laravel | Framework | >= 8.0.0, < 8.83.28 |
| Laravel | Framework | >= 9.0.0, < 9.52.17 |
| Laravel | Framework | >= 10.0.0, < 10.48.23 |
| Laravel | Framework | >= 11.0.0, < 11.31.0 |
| Debian | Debian Linux | 11.0 |
References
- https://lists.debian.org/debian-lts-announce/2024/12/msg00019.htmlMailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2024-52301?
How severe is CVE-2024-52301?
How do I fix CVE-2024-52301?
Are you affected by CVE-2024-52301?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST