CVE-2021-21263 — Injection in Laravel

CWE-74 — Injection CWE-89 — SQL Injection5 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

1.1%

top 21.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Laravel Illuminate Database Laravel Framework +1 more

Timeline

PublishedJan 19

Description

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this w…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages5 packages

▶Packagistlaravel/framework8.0.0 — 8.22.1+2

▶debiandebian/php-laravel-framework< php-laravel-framework 6.20.11+dfsg-1 (bookworm)

▶CVEListV5laravel/framework>= 6.0.0, < 6.20.11, >= 7.0.0, < 7.30.2, >= 8.0.0, < 8.22.1+2

▶NVDlaravel/laravel6.0.0 — 6.20.11+2

▶Packagistilluminate/database7.0.0 — 7.30.3+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2021-21263: Laravel is a web application framework↗2021-01-19

▶

OSV

Query Binding Exploitation↗2021-01-19

▶

GHSA

Query Binding Exploitation↗2021-01-19

▶

📋Vendor Advisories

Debian

CVE-2021-21263: php-laravel-framework - Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30...↗2021

▶