Miggo Logo

CVE-2020-24940: Guard bypass in Eloquent models affecting Laravel illuminate database component

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.49318%
CWE
-
Published
5/24/2022
Updated
5/15/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
illuminate/databasecomposer>= 5.5.0, <= 5.5.44
illuminate/databasecomposer>= 6.0.0, < 6.18.346.18.34
illuminate/databasecomposer>= 7.0.0, < 7.23.27.23.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how mass assignment handled attribute names with table prefixes. The security advisory explicitly mentions that Eloquent automatically stripped table names during mass assignment as an undocumented feature. The fill() method is the primary entry point for mass assignment operations in Eloquent models. Before patching, this method (or its dependencies) would process attributes by removing table prefixes before checking against $fillable/$guarded arrays, creating a mismatch between validated attributes and guard-checked attributes. The patch removed this stripping behavior, forcing attributes to match guard rules exactly. While the exact helper method for stripping isn't named in public sources, the fill() method's role in mass assignment makes it the clear entry point for this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in L*r*v*l ***or* *.**.** *n* *.x ***or* *.**.*. Unv*li**t** v*lu*s *r* s*v** to t** **t***s* *ompon*nt in som* situ*tions in w*i** t**l* n*m*s *r* stripp** *urin* * m*ss *ssi*nm*nt.

Reasoning

T** vuln*r**ility st*ms *rom *ow m*ss *ssi*nm*nt **n*l** *ttri*ut* n*m*s wit* t**l* pr**ix*s. T** s**urity **visory *xpli*itly m*ntions t**t *loqu*nt *utom*ti**lly stripp** t**l* n*m*s *urin* m*ss *ssi*nm*nt *s *n un*o*um*nt** ***tur*. T** *ill() m*t