CVE-2024-52301 HIGH

CVE-2024-52301: Laravel allows environment manipulation via query string

Vendor Laravel

Product framework

Weakness CWE-88

Published November 12, 2024

Last update December 21, 2024

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.

Key dates

Disclosure timeline

November 12, 2024 CVE published

December 21, 2024 Record updated

Identifiers

CVE CVE-2024-52301

CWE CWE-88

CVSS 8.7 / HIGH

Affected versions

Vendor Laravel

Product framework

Affected < 6.20.45

Vendor Laravel

Product framework

Affected >= 7.0.0, < 7.30.7

Vendor Laravel

Product framework

Affected >= 8.0.0, < 8.83.28

Vendor Laravel

Product framework

Affected >= 9.0.0, < 9.52.17

Vendor Laravel

Product framework

Affected >= 10.0.0, < 10.48.23

Vendor Laravel

Product framework

Affected >= 11.0.0, < 11.31.0