Homepage
About Snyk

SQL Injection Affecting laravel/framework package, versions >=6.0.0, <6.20.11 >=7.0.0, <7.30.2 >=8.0.0, <8.22.1

0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-LARAVELFRAMEWORK-1060045
  • published 14 Jan 2021
  • disclosed 14 Jan 2021
  • credit Charles Fol
Report a new vulnerability Found a mistake?

Introduced: 14 Jan 2021

CVE NOT AVAILABLE CWE-89 Open this link in a new tab

How to fix?

Upgrade laravel/framework to version 6.20.11, 7.30.2, 8.22.1 or higher.

Overview

laravel/framework is a PHP framework for web artisans.

Affected versions of this package are vulnerable to SQL Injection. Laravel database query builder as part of its where and similar methods accepts two parameters - name of a column and a value which provided column should contain. Issue comes from the value parameter which accepts an array as possible input. When an array is added - laravel query builder takes all items from it and uses them in a given order as database binding parameters. Finally, when constructed query is executed it takes all provided binding parameters as is which leads to a possibility where items from an array value will be used as values for other parts of the query thus leaking of unintended data.

Example of a problematic query:

// HTTP Request Query: https://laravel.com/users?id[]=1&id[]=1
$id = Request::input('id');
User::where('id', $id)->where('is_admin', 0)->first();
// This could lead to a query where "is_admin" column is set to 1.