GHSA-6wjw-qf87-fv5v

Suggest an improvement
Source
https://github.com/advisories/GHSA-6wjw-qf87-fv5v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-6wjw-qf87-fv5v/GHSA-6wjw-qf87-fv5v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6wjw-qf87-fv5v
Published
2024-05-15T22:01:01Z
Modified
2024-11-29T05:34:53.539316Z
Summary
Laravel Encrypter Failure to decryption vulnerability
Details

A potential exploit of the Laravel Encrypter component that may cause the Encrypter to fail on decryption and unexpectedly return false.

To exploit this, the attacker must be able to modify the encrypted payload before it is decrypted. Depending on the code within your application, this could lead to unexpected behavior when combined with weak type comparisons, for example:

<?php

$decyptedValue = decrypt($secret);

if ($decryptedValue == '') {
    // Code is run even though decrypted value is false...
}
Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-1240"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T22:01:01Z"
}
References

Affected packages

Packagist / illuminate/encryption

Package

Name
illuminate/encryption
Purl
pkg:composer/illuminate/encryption

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.5.40

Affected versions

v5.*

v5.5.0
v5.5.2
v5.5.16
v5.5.17
v5.5.28
v5.5.33
v5.5.34
v5.5.35
v5.5.36
v5.5.37
v5.5.39

Packagist / illuminate/encryption

Package

Name
illuminate/encryption
Purl
pkg:composer/illuminate/encryption

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.6.0
Fixed
5.6.15

Affected versions

v5.*

v5.6.0
v5.6.1
v5.6.2
v5.6.3
v5.6.4
v5.6.5
v5.6.6
v5.6.7
v5.6.8
v5.6.9
v5.6.10
v5.6.11
v5.6.12
v5.6.13
v5.6.14