Miggo Logo

GHSA-7852-w36x-6mf6: Laravel Encrypter Component Potential Decryption Failure Leading to Unintended Behavior

N/A

CVSS Score

Basic Information

CVE ID
-
EPSS Score
-
Published
5/15/2024
Updated
5/15/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
laravel/frameworkcomposer< 5.5.405.5.40
laravel/frameworkcomposer>= 5.6.0, < 5.6.155.6.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient IV validation in the validPayload method. The pre-patch implementation only checked for the existence of IV/value/mac fields but didn't verify the IV length matches the cipher's requirements (via openssl_cipher_iv_length). This allowed attackers to craft payloads with invalid IV lengths that would pass initial validation but fail during actual decryption, returning false. The commit 28e53f2 specifically adds the IV length check to this function, confirming it as the vulnerable point. The function's role in payload validation makes it the critical component enabling this cryptographic weakness (CWE-1240).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** L*r*v*l *n*rypt*r *ompon*nt is sus**pti*l* to * vuln*r**ility t**t m*y r*sult in ***ryption **ilur*, l***in* to *n un*xp**t** r*turn o* `**ls*`. *xploitin* t*is issu* r*quir*s t** *tt**k*r to m*nipul*t* t** *n*rypt** p*ylo** ***or* ***ryption. W*

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt IV v*li**tion in t** v*li*P*ylo** m*t*o*. T** pr*-p*t** impl*m*nt*tion only ****k** *or t** *xist*n** o* IV/v*lu*/m** *i*l*s *ut *i*n't v*ri*y t** IV l*n*t* m*t***s t** *ip**r's r*quir*m*nts (vi* op*nssl_*ip*