CVE-2024-52301

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

Published: Nov 12, 2024 / Updated: 7d ago

010
CVSS 8.7EPSS 0.04%High
CVE info copied to clipboard

Summary

Laravel, a web application framework, has a vulnerability where users can change the environment used by the framework when handling requests. This occurs when the register_argc_argv php directive is set to 'on' and users call any URL with a specially crafted query string. The framework now ignores argv values for environment detection on non-cli SAPIs to address this issue.

Impact

This vulnerability allows attackers to potentially manipulate the application's environment, which could lead to unauthorized access, data manipulation, or execution of malicious code. The high integrity impact (CVSS v4 VI:H) suggests that attackers could significantly alter system data or operations. This could result in compromised application behavior, potential data breaches, or system instability.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

Patches are available. The vulnerability has been fixed in Laravel versions 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0.

Mitigation

1. Update Laravel to the patched versions immediately: 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, or 11.31.0, depending on your current major version. 2. If immediate updating is not possible, disable the register_argc_argv php directive by setting it to 'off' in your PHP configuration. 3. Implement strict input validation and sanitization for all user-supplied data, especially in query strings. 4. Monitor for unusual or suspicious requests that might attempt to exploit this vulnerability. 5. Apply the principle of least privilege to your Laravel applications to minimize potential impact.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Nov 12, 2024 at 6:19 PM
CVE Assignment

NVD published the first details for CVE-2024-52301

Nov 12, 2024 at 8:15 PM
CVSS

A CVSS base score of 8.7 has been assigned.

Nov 12, 2024 at 8:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-52301. See article

Nov 12, 2024 at 8:22 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 12, 2024 at 8:22 PM
CVSS

A CVSS base score of 8.7 has been assigned.

Nov 13, 2024 at 3:40 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.1%)

Nov 13, 2024 at 3:40 PM
Threat Intelligence Report

CVE-2024-52301 is a critical vulnerability in the Laravel framework, rated 8.7 on the CVSS scale, stemming from improper input validation related to PHP’s register_argc_argv directive, which could allow attackers to gain unauthorized access and escalate privileges in Laravel applications. Laravel has issued patches for affected versions, advising immediate upgrades to mitigate the risk, as the flaw impacts multiple versions of the framework. There is no mention of exploitation in the wild or proof-of-concept exploits in the provided article. See article

Nov 15, 2024 at 2:29 AM
Static CVE Timeline Graph

Affected Systems

Laravel/framework
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-137: Parameter Injection
+null more

Vendor Advisory

[GHSA-gv7v-rgg6-548h] Laravel environment manipulation via query string
GitHub Security Advisory: GHSA-gv7v-rgg6-548h Release Date: 2024-11-12 Update Date: 2024-11-13 Severity: High CVE-2024-52301 Package Information Package: laravel/framework Affected Versions: Patched Versions: 6.20.45 Description When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. Resolution The framework now ignores argv values for environment detection on non-cli SAPIs. References GHSA-gv7v-rgg6-548h https://nvd.nist.gov/vuln/detail/CVE-2024-52301

References

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access
If not properly mitigated, attackers can exploit the vulnerability to bypass security controls, gain unauthorized access, and manipulate sensitive data. The vulnerability allows unauthorized access by exploiting improperly validated inputs, potentially leading to privilege escalation, data tampering, or full system compromise.
Critical Laravel Flaw (CVE-2024-52301) Exposes Millions of Web Applications to Attack
Since register_argc_argv allows access to command-line arguments, Laravel applications with this setting enabled face increased risk, as malicious actors may exploit PHP’s default behavior, gaining unauthorized control over application environments. Organizations relying on these versions of Laravel for public-facing applications are particularly at risk, as attackers could exploit this vulnerability to escalate privileges, access sensitive data, and even inject malicious code.

News

IT Security News Weekly Summary – Week 46
210 posts were published in the last hour 22:55 : IT Security News Daily Summary 2024-11-17 21:5 : IT Security News Hourly Summary 20:32 : 3 leadership lessons we can learn from ethical hackers 19:5 : IT Security News Hourly Summary 18:34 : Will passkeys ever replace passwords? Can they? 18:34 : Fake Antivirus App Hides SpyNote Malware on Android 18:5 : IT Security News Hourly Summary 17:32 :
martinhaunschmid/CVE-2024-52301-Research
[GitHub]A bit of research around CVE-2024-52301
7 - CVE-2024-52301
Currently trending CVE - hypeScore: 4 - Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45
Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access
Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access
[CERT-daily] Tageszusammenfassung - 15.11.2024
https://www.nccgroup.com/us/research-blog/defending-your-directory-an-expert-guide-to-fortifying-active-directory-against-ldap-injection-threats/ Palo Alto Networks has indicated they are observing threat activity exploiting a zero-day unauthenticated remote command execution vulnerability in their firewall management interfaces.
See 20 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI