CVE-2024-51758

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-51758
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-51758.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-51758
Aliases
Published
2024-11-07T17:46:36.151Z
Modified
2025-12-01T17:48:10.738149Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Exported files stored in default (`public`) filesystem if not reconfigured in filament
Details

Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the default_filesystem_disk config option. This allows the user to easily swap their storage driver to something production-ready like s3 when deploying their app, without having to touch multiple configuration options and potentially forgetting about some. The default disk is set to public when you first install Filament, since this allows users to quickly get started developing with a functional disk that allows features such as file upload previews locally without the need to set up an S3 disk with temporary URL support. However, some features of Filament such as exports also rely on storage, and the files that are stored contain data that should often not be public. This is not an issue for the many deployed applications, since many use a secure default disk such as S3 in production. However, CWE-1188 suggests that having the public disk as the default disk in Filament is a security vulnerability itself. As such, we have implemented a measure to protect users whereby if the public disk is set as the default disk, the exports feature will automatically swap it out for the local disk, if that exists. Users who set the default disk to local or s3 already are not affected. If a user wants to continue to use the public disk for exports, they can by setting the export disk deliberately. This change has been included in the 3.2.123 release and all users who use the public disk are advised to upgrade.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1188"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51758.json"
}
References

Affected packages

Git / github.com/filamentphp/filament

Affected ranges

Type
GIT
Repo
https://github.com/filamentphp/filament
Events
Introduced
21e5257f3065ec9de44cc03ccd030dba94fbe6b0
Fixed
6480eb9581bfb8477b0c098bbb203df674e36c1a
Database specific 
{
    "versions": [
        {
            "introduced": "3.2.0"
        },
        {
            "fixed": "3.2.123"
        }
    ]
}

Affected versions

v3.*

v3.2.0
v3.2.1
v3.2.10
v3.2.100
v3.2.101
v3.2.102
v3.2.103
v3.2.104
v3.2.105
v3.2.106
v3.2.107
v3.2.108
v3.2.109
v3.2.11
v3.2.110
v3.2.111
v3.2.112
v3.2.113
v3.2.114
v3.2.115
v3.2.116
v3.2.117
v3.2.118
v3.2.119
v3.2.12
v3.2.120
v3.2.121
v3.2.122
v3.2.13
v3.2.14
v3.2.15
v3.2.16
v3.2.17
v3.2.18
v3.2.19
v3.2.2
v3.2.20
v3.2.21
v3.2.22
v3.2.23
v3.2.24
v3.2.25
v3.2.25-beta1
v3.2.26
v3.2.27
v3.2.28
v3.2.29
v3.2.3
v3.2.30
v3.2.31
v3.2.32
v3.2.33
v3.2.34
v3.2.35
v3.2.36
v3.2.37
v3.2.38
v3.2.39
v3.2.4
v3.2.40
v3.2.41
v3.2.42
v3.2.43
v3.2.44
v3.2.45
v3.2.46
v3.2.47
v3.2.48
v3.2.49
v3.2.5
v3.2.50
v3.2.51
v3.2.52
v3.2.53
v3.2.54
v3.2.55
v3.2.56
v3.2.57
v3.2.58
v3.2.59
v3.2.6
v3.2.60
v3.2.61
v3.2.62
v3.2.63
v3.2.64
v3.2.65
v3.2.66
v3.2.67
v3.2.68
v3.2.69
v3.2.7
v3.2.70
v3.2.71
v3.2.72
v3.2.73
v3.2.74
v3.2.75
v3.2.76
v3.2.77
v3.2.78
v3.2.79
v3.2.8
v3.2.80
v3.2.81
v3.2.82
v3.2.83
v3.2.84
v3.2.85
v3.2.86
v3.2.87
v3.2.87-beta1
v3.2.88
v3.2.89
v3.2.9
v3.2.90
v3.2.91
v3.2.92
v3.2.93
v3.2.94
v3.2.95
v3.2.96
v3.2.97
v3.2.98
v3.2.99