N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-6wjw-qf87-fv5v

EPSS Score

CWE

CWE-1240

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-6wjw-qf87-fv5v

GHSA-6wjw-qf87-fv5v: Laravel Encrypter Failure to decryption vulnerability

A potential exploit of the Laravel Encrypter component that may cause the Encrypter to fail on decryption and unexpectedly return false.

To exploit this, the attacker must be able to modify the encrypted payload before it is decrypted. Depending on the code within your application, this could lead to unexpected behavior when combined with weak type comparisons, for example:

<?php

$decyptedValue = decrypt($secret);

if ($decryptedValue == '') {
    // Code is run even though decrypted value is false...
}

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-6wjw-qf87-fv5v

GHSA-6wjw-qf87-fv5v:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-6wjw-qf87-fv5v

EPSS Score

CWE

CWE-1240

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
illuminate/encryption	composer	>= 5.5.0, < 5.5.40	5.5.40
illuminate/encryption	composer	>= 5.6.0, < 5.6.15	5.6.15

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient IV validation in the validPayload method. The patch added a critical check for IV length compatibility with the cipher algorithm. Prior versions would accept any IV that was base64 decodable, regardless of its actual length after decoding. This weakness in cryptographic validation (CWE-1240) made decryption susceptible to manipulated payloads, particularly when applications used loose comparisons (==) with the decryption result.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-6wjw-qf87-fv5v: Laravel Encrypter Failure to decryption vulnerability

GHSA-6wjw-qf87-fv5v:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

GHSA-6wjw-qf87-fv5v: Laravel Encrypter Failure to decryption vulnerability

Technical Details

N/A

N/A

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI