CVE-2024-52301
published 2024-11-12CVE-2024-52301: Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string…
PriorityP180high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
37.98%
98.4th percentile
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | php-laravel-framework | < php-laravel-framework 6.20.14+dfsg-2+deb11u2 (bullseye) | php-laravel-framework 6.20.14+dfsg-2+deb11u2 (bullseye) |
| laravel | framework | < 6.20.45 | 6.20.45 |
| laravel | framework | — | — |
| laravel | framework | — | — |
| laravel | framework | — | — |
| laravel | framework | — | — |
| laravel | framework | — | — |
| laravel | framework | >= 0 < 6.20.45 | 6.20.45 |
| laravel | framework | >= 10.0.0 < 10.48.23 | 10.48.23 |
| laravel | framework | >= 10.0.0 < 10.48.23 | 10.48.23 |
| laravel | framework | >= 11.0.0 < 11.31.0 | 11.31.0 |
| laravel | framework | >= 11.0.0 < 11.31.0 | 11.31.0 |
| laravel | framework | >= 7.0.0 < 7.30.7 | 7.30.7 |
| laravel | framework | >= 7.0.0 < 7.30.7 | 7.30.7 |
| laravel | framework | >= 8.0.0 < 8.83.28 | 8.83.28 |
| laravel | framework | >= 8.0.0 < 8.83.28 | 8.83.28 |
| laravel | framework | >= 9.0.0 < 9.52.17 | 9.52.17 |
| laravel | framework | >= 9.0.0 < 9.52.17 | 9.52.17 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation requires the PHP directive `register_argc_argv` to be set to `on` — detection should focus on web requests with specially crafted query strings targeting Laravel applications where this directive is enabled ↗
- →The fix causes Laravel to ignore argv values for environment detection on non-CLI SAPIs; detection logic should alert on Laravel instances running vulnerable versions (prior to 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, 11.31.0) with `register_argc_argv=on` ↗
- ·Vulnerability is only exploitable when the PHP directive `register_argc_argv` is set to `on`; this is not the default in production PHP configurations but may be enabled in some environments ↗
- ·Fixed versions are 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0; Debian bookworm remains open as of source publication date ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vulncheck8.7HIGH
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2024-52301: php-laravel-framework - Laravel is a web application framework. When the register_argc_argv php directiv...
vendor_debian·2024·CVSS 8.7
CVE-2024-52301 [HIGH] CVE-2024-52301: php-laravel-framework - Laravel is a web application framework. When the register_argc_argv php directiv...
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Scope: local
bookworm: open
bullseye: resolved (fixed in 6.20.14+dfsg-2+deb11u2)
forky: resolved (fixed in 10.48.25+dfsg-1)
sid: resolved (fixed in 10.48.25+dfsg-1)
trixie: resolved (fixed in 10.48.25+dfsg-1)
OSV
Laravel environment manipulation via query string
osv·2024-11-12
CVE-2024-52301 [HIGH] Laravel environment manipulation via query string
Laravel environment manipulation via query string
## Description
When the `register_argc_argv php` directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.
## Resolution
The framework now ignores argv values for environment detection on non-cli SAPIs.
GHSA
Laravel environment manipulation via query string
ghsa·2024-11-12
CVE-2024-52301 [HIGH] CWE-88 Laravel environment manipulation via query string
Laravel environment manipulation via query string
## Description
When the `register_argc_argv php` directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.
## Resolution
The framework now ignores argv values for environment detection on non-cli SAPIs.
OSV
CVE-2024-52301: Laravel is a web application framework
osv·2024-11-12·CVSS 8.7
CVE-2024-52301 [HIGH] CVE-2024-52301: Laravel is a web application framework
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
VulnCheck
Laravel Laravel Framework Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
vulncheck·2024·CVSS 8.7
CVE-2024-52301 [HIGH] Laravel Laravel Framework Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Laravel Laravel Framework Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Affected: Laravel Laravel Framework
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2024-52301
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-12
Published
Exploited in the wild