CVE-2021-21263
published 2021-01-19CVE-2021-21263: Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies…
PriorityP430medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.60%
72.8th percentile
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-laravel-framework | < php-laravel-framework 6.20.11+dfsg-1 (bookworm) | php-laravel-framework 6.20.11+dfsg-1 (bookworm) |
| illuminate | database | >= 6.0.0 < 6.20.12 | 6.20.12 |
| illuminate | database | >= 7.0.0 < 7.30.3 | 7.30.3 |
| illuminate | database | >= 8.0.0 < 8.22.1 | 8.22.1 |
| laravel | framework | — | — |
| laravel | framework | — | — |
| laravel | framework | — | — |
| laravel | framework | >= 6.0.0 < 6.20.11 | 6.20.11 |
| laravel | framework | >= 7.0.0 < 7.30.2 | 7.30.2 |
| laravel | framework | >= 8.0.0 < 8.22.1 | 8.22.1 |
| laravel | laravel | >= 6.0.0 < 6.20.11 | 6.20.11 |
| laravel | laravel | >= 7.0.0 < 7.30.2 | 7.30.2 |
| laravel | laravel | >= 8.0.0 < 8.22.1 | 8.22.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv5.3MEDIUM
vendor_debian7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2021-21263: Laravel is a web application framework
osv·2021-01-19·CVSS 5.3
CVE-2021-21263 [MEDIUM] CVE-2021-21263: Laravel is a web application framework
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
OSV
Query Binding Exploitation
osv·2021-01-19
CVE-2021-21263 [HIGH] Query Binding Exploitation
Query Binding Exploitation
### Description
Laravel versions <6.20.12, <7.30.3 & <8.22.1 contain a query binding exploitation.
If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
This vulnerability was discovered by Tim Groenevelt ([email protected]).
### References
- https://github.com/laravel/framework/pull/35865
GHSA
Query Binding Exploitation
ghsa·2021-01-19
CVE-2021-21263 [HIGH] CWE-74 Query Binding Exploitation
Query Binding Exploitation
### Description
Laravel versions <6.20.12, <7.30.3 & <8.22.1 contain a query binding exploitation.
If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
This vulnerability was discovered by Tim Groenevelt ([email protected]).
### References
- https://github.com/laravel/framework/pull/35865
Debian
CVE-2021-21263: php-laravel-framework - Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30...
vendor_debian·2021·CVSS 7.2
CVE-2021-21263 [HIGH] CVE-2021-21263: php-laravel-framework - Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30...
Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Scope: local
bookworm: resolved (fixed in 6.20.11+dfsg-1)
bullseye: resolved (fixed in 6.20.11+dfsg-1)
forky: reso
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://blog.laravel.com/security-laravel-62011-7302-8221-releasedhttps://github.com/laravel/framework/pull/35865https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5xhttps://packagist.org/packages/illuminate/databasehttps://packagist.org/packages/laravel/frameworkhttps://blog.laravel.com/security-laravel-62011-7302-8221-releasedhttps://github.com/laravel/framework/pull/35865https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5xhttps://packagist.org/packages/illuminate/databasehttps://packagist.org/packages/laravel/framework
2021-01-19
Published