CVE-2021-21263 HIGH

CVE-2021-21263: Query Binding Exploitation in Laravel

Vendor Laravel

Product framework

Weakness CWE-74

Published January 19, 2021

Last update August 3, 2024

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

Description

Laravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.

Key dates

Disclosure timeline

January 19, 2021 CVE published

August 3, 2024 Record updated

Identifiers

CVE CVE-2021-21263

CWE CWE-74

CVSS 7.2 / HIGH

Affected versions

Vendor Laravel

Product framework

Affected >= 6.0.0, < 6.20.11

Vendor Laravel

Product framework

Affected >= 7.0.0, < 7.30.2

Vendor Laravel

Product framework

Affected >= 8.0.0, < 8.22.1