Laravel Encrypter Component Potential Decryption Failure Leading to Unintended Behavior

2024-05-1522:08:06

CWE-1240

GitHub Advisory Database

github.com

laravel

encrypter

vulnerability

decryption

failure

manipulation

payload

weak type comparisons

application code

7.1 High

AI Score

Confidence

Low

JSON

The Laravel Encrypter component is susceptible to a vulnerability that may result in decryption failure, leading to an unexpected return of false. Exploiting this issue requires the attacker to manipulate the encrypted payload before decryption. When combined with weak type comparisons in the application’s code, such as the example below:

&lt;?php

$decyptedValue = decrypt($secret);

if ($decryptedValue == '') {
    // Code is run even though decrypted value is false...
}

Affected configurations

Vulners

Node

laravelframeworkRange<5.6.15

laravelframeworkRange<5.5.40

CPENameOperatorVersion
laravel/frameworklt5.6.15
laravel/frameworklt5.5.40

CPE	Name	Operator	Version
	laravel/framework	lt	5.6.15
	laravel/framework	lt	5.5.40

References

github.com/advisories/GHSA-7852-w36x-6mf6

github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2018-03-30-1.yaml

github.com/laravel/framework/commit/28e53f23a76206fb130e9a54eb95aa3f010e79c9

github.com/laravel/framework/commit/886d261df0854426b4662b7ed5db6a1c575a4279

medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0

7.1 High

AI Score

Confidence

Low

JSON