Laravel Security Update Advisory (CVE-2024-52301)

Overview

 

An update has been released to address vulnerabilities in Laravel. Users of the affected versions are advised to update to the latest version.
 

 

Affected Products

CVE-2024-52301

• Laravel versions: ~ 6.20.45 (excluded)
• Laravel versions: 7.0.0 (inclusive) ~ 7.30.7 (excluded)
• Laravel versions: 8.0.0 (inclusive) ~ 8.83.28 (excluded)
• Laravel versions: 9.0.0 (inclusive) ~ 9.52.17 (excluded)
• Laravel versions: 10.0.0 (inclusive) ~ 10.48.23 (excluded)
• Laravel versions: 11.0.0 (inclusive) ~ 11.31.0 (excluded)

 

 

Resolved Vulnerabilities

 

When PHP’s register_argc_argv directive is enabled, calling a URL with a specially crafted query string could allow attackers to alter the environment variables used by the framework when processing requests (CVE-2024-52301)

 

 

Vulnerability Patches

Vulnerability Patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2024-52301

• Laravel version: 6.20.45
• Laravel version: 7.30.7
• Laravel version: 8.83.28
• Laravel version: 9.52.17
• Laravel version: 10.48.23
• Laravel version: 11.31.0

 

 

Referenced Sites

[1] CVE-2024-52301 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-52301

[2] Environment manipulation via query string

https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h