Vulnerability Description
Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Laravel | Framework | < 6.20.45 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548hVendor Advisory
- https://lists.debian.org/debian-lts-announce/2024/12/msg00019.htmlMailing ListThird Party Advisory
FAQ
What is CVE-2024-52301?
CVE-2024-52301 is a vulnerability with a CVSS score of 7.5 (HIGH). Laravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment use...
How severe is CVE-2024-52301?
CVE-2024-52301 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-52301?
Check the references section above for vendor advisories and patch information. Affected products include: Laravel Framework, Debian Debian Linux.