CVE-2024-52301 — Argument Injection in Framework

CWE-88 — Argument Injection6 documents5 sources

Severity

8.7HIGHNVD

EPSS

65.7%

top 1.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Laravel Framework Debian Php-laravel-framework Debian Linux

Timeline

PublishedNov 12

Description

Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶NVDlaravel/framework7.0.0 — 7.30.7+5

▶Packagistlaravel/framework7.0.0 — 7.30.7+5

▶debiandebian/php-laravel-framework< php-laravel-framework 6.20.14+dfsg-2+deb11u2 (bullseye)

▶CVEListV5laravel/framework5 versions+4

Also affects: Debian Linux 11.0

🔴Vulnerability Details

OSV

Laravel environment manipulation via query string↗2024-11-12

▶

GHSA

Laravel environment manipulation via query string↗2024-11-12

▶

OSV

CVE-2024-52301: Laravel is a web application framework↗2024-11-12

▶

VulnCheck

Laravel Laravel Framework Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')↗2024

▶

📋Vendor Advisories

Debian

CVE-2024-52301: php-laravel-framework - Laravel is a web application framework. When the register_argc_argv php directiv...↗2024

▶