laravel/framework-v8.83.25: 5 vulnerabilities (highest severity is: 7.3) #53
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
mend-bolt-for-github
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - nesbot/carbon-2.62.1
An API extension for DateTime that supports 281 different languages.
Library home page: https://api.github.com/repos/CarbonPHP/carbon/zipball/01bc4cdefe98ef58d1f9cb31bdbbddddf2a88f7a
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.
Publish Date: 2025-01-08
URL: CVE-2025-22145
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-j3f9-p6hm-5w6q
Release Date: 2025-01-08
Fix Resolution: 2.72.6,3.8.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When using wildcard validation to validate a given file or image field ("files.*"), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1.
Publish Date: 2025-03-05
URL: CVE-2025-27515
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wppf-gqj5-fc4f
Release Date: 2025-03-05
Fix Resolution: v12.1.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/http-foundation-v5.4.20
Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/d0435363362a47c14e9cf50663cb8ffbf491875a
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
CVSS 3 Score Details (3.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-mrqx-rp3w-jpjp
Release Date: 2024-11-06
Fix Resolution: symfony/http-foundation - v5.4.46,v6.4.14,v7.1.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - laravel/framework-v8.83.25
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/b77b908a9426efa41d6286a2ef4c3adbf5398ca1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-gv7v-rgg6-548h
Release Date: 2024-11-12
Fix Resolution: laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - symfony/process-v5.4.11
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy:
Found in HEAD commit: 76912645301fd298ea1c90c624e716dd8de2f669
Found in base branch: develop
Vulnerability Details
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
CVSS 3 Score Details (0.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2024-11-06
Fix Resolution: symfony/process - v5.4.46,v6.4.14,v7.1.7
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: