CVE-2020-24940 - OpenCVE

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Laravel	Laravel

Configuration 1 [-]

OR	cpe:2.3:a:laravel:laravel::::::::
	cpe:2.3:a:laravel:laravel::::::::

References

Link	Resource
https://blog.laravel.com/security-release-laravel-61834-7232	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-09-04T01:28:09

Updated: 2020-09-04T01:28:09

Reserved: 2020-08-28T00:00:00

Link: CVE-2020-24940

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-09-04T02:15:10.723

Modified: 2020-09-11T17:04:26.807

Link: CVE-2020-24940

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*", "matchCriteriaId": "4CB438AB-1948-4030-873A-4AEB6018EB90", "versionEndExcluding": "6.18.34", "vulnerable": true}, {"criteria": "cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*", "matchCriteriaId": "DFAB30A2-14F9-40DE-A071-0D131518203D", "versionEndExcluding": "7.23.2", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database in some situations in which table names are stripped during a mass assignment."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Laravel versiones anteriores a 6.18.34 y versiones 7.x anteriores a 7.23.2. Los valores no validados se guardan en la base de datos en algunas situaciones en las que los nombres de las tablas son eliminados durante una asignaci\u00f3n masiva"}], "id": "CVE-2020-24940", "lastModified": "2020-09-11T17:04:26.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-04T02:15:10.723", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://blog.laravel.com/security-release-laravel-61834-7232"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}