7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24940

GHSA ID

GHSA-c7rm-w2hj-x8g3

EPSS Score

0.49318%

CWE

Published

5/24/2022

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-24940

CVE-2020-24940: Guard bypass in Eloquent models affecting Laravel illuminate database component

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database component in some situations in which table names are stripped during a mass assignment.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-24940

GHSA ID

GHSA-c7rm-w2hj-x8g3

EPSS Score

0.49318%

CWE

Published

5/24/2022

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
illuminate/database	composer	>= 5.5.0, <= 5.5.44
illuminate/database	composer	>= 6.0.0, < 6.18.34	6.18.34
illuminate/database	composer	>= 7.0.0, < 7.23.2	7.23.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how mass assignment handled attribute names with table prefixes. The security advisory explicitly mentions that Eloquent automatically stripped table names during mass assignment as an undocumented feature. The fill() method is the primary entry point for mass assignment operations in Eloquent models. Before patching, this method (or its dependencies) would process attributes by removing table prefixes before checking against $fillable/$guarded arrays, creating a mismatch between validated attributes and guard-checked attributes. The patch removed this stripping behavior, forcing attributes to match guard rules exactly. While the exact helper method for stripping isn't named in public sources, the fill() method's role in mass assignment makes it the clear entry point for this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in L*r*v*l ***or* *.**.** *n* *.x ***or* *.**.*. Unv*li**t** v*lu*s *r* s*v** to t** **t***s* *ompon*nt in som* situ*tions in w*i** t**l* n*m*s *r* stripp** *urin* * m*ss *ssi*nm*nt.

Reasoning

T** vuln*r**ility st*ms *rom *ow m*ss *ssi*nm*nt **n*l** *ttri*ut* n*m*s wit* t**l* pr**ix*s. T** s**urity **visory *xpli*itly m*ntions t**t *loqu*nt *utom*ti**lly stripp** t**l* n*m*s *urin* m*ss *ssi*nm*nt *s *n un*o*um*nt** ***tur*. T** *ill() m*t

7.5

Basic Information

Concerned about an active attack path?

CVE-2020-24940: Guard bypass in Eloquent models affecting Laravel illuminate database component

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI