CVE-2022-40482 — Observable Discrepancy in Framework

CWE-203 — Observable Discrepancy2 documents2 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 46.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Laravel Framework

Timeline

PublishedApr 25

Description

The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

▶NVDlaravel/framework8.0.0 — 8.83.24+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5qxg-5vwh-7j5j: The authentication method in Laravel 8↗2023-04-25

▶