N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-2ffv-r4r9-r8xr

EPSS Score

CWE

CWE-94

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-2ffv-r4r9-r8xr

GHSA-2ffv-r4r9-r8xr: Laravel RCE vulnerability in "cookie" session driver

Application's using the "cookie" session driver were the primary applications affected by this vulnerability. Since we have not yet released a security release for the Laravel 5.5 version of the framework, we recommend that all applications running Laravel 5.5 and earlier do not use the "cookie" session driver in their production deployments.

Regarding the vulnerability, applications using the "cookie" session driver that were also exposing an encryption oracle via their application were vulnerable to remote code execution. An encryption oracle is a mechanism where arbitrary user input is encrypted and the encrypted string is later displayed or exposed to the user. This combination of scenarios lets the user generate valid Laravel signed encryption strings for any plain-text string, thus allowing them to craft Laravel session payloads when an application is using the "cookie" driver.

This fix prefixes cookie values with an HMAC hash of the cookie's name before encryption and then verifies a matching hash on decryption, making it impossible to craft a valid cookie payload even if an encryption oracle is exposed via the application.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-2ffv-r4r9-r8xr

EPSS Score

CWE

CWE-94

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
illuminate/cookie	composer	>= 4.1.0, < 6.18.31	6.18.31
illuminate/cookie	composer	>= 7.0.0, < 7.22.4	7.22.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing HMAC-based validation during cookie encryption/decryption. The pre-patch implementation in EncryptCookies middleware allowed arbitrary encrypted values to be accepted as valid cookies if an encryption oracle existed. The functions responsible for raw encryption/decryption (without HMAC context) are the core vulnerability points, as they enabled cookie forgery. The fix introduced HMAC prefixing in these methods, confirming their central role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ppli**tion's usin* t** "*ooki*" s*ssion *riv*r w*r* t** prim*ry *ppli**tions *****t** *y t*is vuln*r**ility. Sin** w* **v* not y*t r*l**s** * s**urity r*l**s* *or t** L*r*v*l *.* v*rsion o* t** *r*m*work, w* r**omm*n* t**t *ll *ppli**tions runnin* L

Reasoning

T** vuln*r**ility st*ms *rom missin* *M**-**s** `v*li**tion` *urin* *ooki* *n*ryption/***ryption. T** pr*-p*t** impl*m*nt*tion in `*n*rypt*ooki*s` mi**l*w*r* *llow** *r*itr*ry *n*rypt** v*lu*s to ** ****pt** *s v*li* *ooki*s i* *n *n*ryption or**l* *

N/A

Basic Information

Concerned about an active attack path?

GHSA-2ffv-r4r9-r8xr: Laravel RCE vulnerability in "cookie" session driver

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI