Laravel Encrypter Component Potential Decryption Failure Leading to Unintended Behavior

2024-05-1522:08:06

Google

osv.dev

laravel

encrypter

decryption

vulnerability

weak type comparisons

attack

payload manipulation

7.1 High

AI Score

Confidence

Low

JSON

The Laravel Encrypter component is susceptible to a vulnerability that may result in decryption failure, leading to an unexpected return of false. Exploiting this issue requires the attacker to manipulate the encrypted payload before decryption. When combined with weak type comparisons in the application’s code, such as the example below:

&lt;?php

$decyptedValue = decrypt($secret);

if ($decryptedValue == '') {
    // Code is run even though decrypted value is false...
}

CPENameOperatorVersion
laravel/frameworkeq4.0.1
laravel/frameworkeq5.2.44
laravel/frameworkeq5.1.7
laravel/frameworkeq4.1.12
laravel/frameworkeq5.1.28
laravel/frameworkeq5.6.5
laravel/frameworkeq5.5.19
laravel/frameworkeq5.0.8
laravel/frameworkeq5.0.35
laravel/frameworkeq5.0.19

Name	Operator	Version
laravel/framework	eq	4.0.1
laravel/framework	eq	5.2.44
laravel/framework	eq	5.1.7
laravel/framework	eq	4.1.12
laravel/framework	eq	5.1.28
laravel/framework	eq	5.6.5
laravel/framework	eq	5.5.19
laravel/framework	eq	5.0.8
laravel/framework	eq	5.0.35
laravel/framework	eq	5.0.19

Rows per page:

1-10 of 3261

References

github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2018-03-30-1.yaml

github.com/laravel/framework

github.com/laravel/framework/commit/28e53f23a76206fb130e9a54eb95aa3f010e79c9

github.com/laravel/framework/commit/886d261df0854426b4662b7ed5db6a1c575a4279

medium.com/@taylorotwell/laravel-security-release-5-6-15-and-5-5-40-56f1257933a0

7.1 High

AI Score

Confidence

Low

JSON