Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0yZmZ2LXI0cjktcjh4cs4AA8Ie
Laravel RCE vulnerability in "cookie" session driver
Application's using the "cookie" session driver were the primary applications affected by this vulnerability. Since we have not yet released a security release for the Laravel 5.5 version of the framework, we recommend that all applications running Laravel 5.5 and earlier do not use the "cookie" session driver in their production deployments.
Regarding the vulnerability, applications using the "cookie" session driver that were also exposing an encryption oracle via their application were vulnerable to remote code execution. An encryption oracle is a mechanism where arbitrary user input is encrypted and the encrypted string is later displayed or exposed to the user. This combination of scenarios lets the user generate valid Laravel signed encryption strings for any plain-text string, thus allowing them to craft Laravel session payloads when an application is using the "cookie" driver.
This fix prefixes cookie values with an HMAC hash of the cookie's name before encryption and then verifies a matching hash on decryption, making it impossible to craft a valid cookie payload even if an encryption oracle is exposed via the application.
Permalink: https://github.com/advisories/GHSA-2ffv-r4r9-r8xrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yZmZ2LXI0cjktcjh4cs4AA8Ie
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 4 months ago
Updated: 4 months ago
Identifiers: GHSA-2ffv-r4r9-r8xr
References:
- https://blog.laravel.com/laravel-cookie-security-releases
- https://github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/cookie/2020-07-27-1.yaml
- https://github.com/advisories/GHSA-2ffv-r4r9-r8xr
Affected Packages
packagist:illuminate/cookie
Dependent packages: 141Dependent repositories: 1,458
Downloads: 3,308,182 total
Affected Version Ranges: >= 7.0.0, < 7.22.4, >= 4.1.0, < 6.18.31
Fixed in: 7.22.4, 6.18.31
All affected versions: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.1.17, 4.1.18, 4.1.19, 4.1.20, 4.1.21, 4.1.22, 4.1.23, 4.1.24, 4.1.25, 4.1.26, 4.1.27, 4.1.28, 4.1.29, 4.1.30, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.12, 4.2.16, 4.2.17, 5.0.0, 5.0.4, 5.0.22, 5.0.25, 5.0.26, 5.0.28, 5.0.33, 5.1.1, 5.1.2, 5.1.6, 5.1.8, 5.1.13, 5.1.16, 5.1.20, 5.1.22, 5.1.25, 5.1.28, 5.1.30, 5.1.31, 5.1.41, 5.2.0, 5.2.6, 5.2.7, 5.2.19, 5.2.21, 5.2.24, 5.2.25, 5.2.26, 5.2.27, 5.2.28, 5.2.31, 5.2.32, 5.2.37, 5.2.43, 5.2.45, 5.3.0, 5.3.4, 5.3.16, 5.3.23, 5.4.0, 5.4.9, 5.4.13, 5.4.17, 5.4.19, 5.4.27, 5.4.36, 5.5.0, 5.5.2, 5.5.16, 5.5.17, 5.5.28, 5.5.33, 5.5.34, 5.5.35, 5.5.36, 5.5.37, 5.5.39, 5.5.40, 5.5.41, 5.5.43, 5.5.44, 5.6.0, 5.6.1, 5.6.2, 5.6.3, 5.6.4, 5.6.5, 5.6.6, 5.6.7, 5.6.8, 5.6.9, 5.6.10, 5.6.11, 5.6.12, 5.6.13, 5.6.14, 5.6.15, 5.6.16, 5.6.17, 5.6.19, 5.6.20, 5.6.21, 5.6.22, 5.6.23, 5.6.24, 5.6.25, 5.6.26, 5.6.27, 5.6.28, 5.6.29, 5.6.30, 5.6.31, 5.6.32, 5.6.33, 5.6.34, 5.6.35, 5.6.36, 5.6.37, 5.6.38, 5.6.39, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 5.7.4, 5.7.5, 5.7.6, 5.7.7, 5.7.8, 5.7.9, 5.7.10, 5.7.11, 5.7.15, 5.7.17, 5.7.18, 5.7.19, 5.7.20, 5.7.21, 5.7.22, 5.7.23, 5.7.26, 5.7.27, 5.7.28, 5.8.0, 5.8.2, 5.8.3, 5.8.4, 5.8.8, 5.8.9, 5.8.11, 5.8.12, 5.8.14, 5.8.15, 5.8.17, 5.8.18, 5.8.19, 5.8.20, 5.8.22, 5.8.24, 5.8.27, 5.8.28, 5.8.29, 5.8.30, 5.8.31, 5.8.32, 5.8.33, 5.8.34, 5.8.35, 5.8.36, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.1.0, 6.2.0, 6.3.0, 6.4.1, 6.5.0, 6.5.1, 6.5.2, 6.6.0, 6.6.1, 6.6.2, 6.7.0, 6.8.0, 6.10.0, 6.11.0, 6.12.0, 6.13.0, 6.13.1, 6.14.0, 6.15.0, 6.15.1, 6.16.0, 6.17.0, 6.17.1, 6.18.0, 6.18.1, 6.18.2, 6.18.3, 6.18.4, 6.18.5, 6.18.6, 6.18.7, 6.18.8, 6.18.9, 6.18.10, 6.18.11, 6.18.12, 6.18.13, 6.18.14, 6.18.15, 6.18.16, 6.18.17, 6.18.18, 6.18.19, 6.18.20, 6.18.21, 6.18.22, 6.18.23, 6.18.24, 6.18.25, 6.18.26, 6.18.27, 6.18.28, 6.18.29, 6.18.30, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.2.0, 7.2.1, 7.2.2, 7.3.0, 7.4.0, 7.5.0, 7.5.1, 7.5.2, 7.6.0, 7.6.1, 7.6.2, 7.7.0, 7.7.1, 7.8.0, 7.8.1, 7.9.0, 7.9.1, 7.9.2, 7.10.0, 7.10.1, 7.10.2, 7.10.3, 7.11.0, 7.12.0, 7.13.0, 7.14.0, 7.14.1, 7.15.0, 7.16.0, 7.16.1, 7.17.0, 7.17.1, 7.17.2, 7.18.0, 7.19.0, 7.19.1, 7.20.0, 7.21.0, 7.22.0, 7.22.1, 7.22.2, 7.22.3
All unaffected versions: 1.0.0, 1.1.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 6.18.31, 6.18.32, 6.18.33, 6.18.34, 6.18.35, 6.18.36, 6.18.37, 6.18.38, 6.18.39, 6.18.40, 6.18.41, 6.18.42, 6.18.43, 6.19.0, 6.19.1, 6.20.0, 6.20.1, 6.20.2, 6.20.3, 6.20.4, 6.20.5, 6.20.6, 6.20.7, 6.20.8, 6.20.9, 6.20.10, 6.20.11, 6.20.12, 6.20.13, 6.20.14, 6.20.15, 6.20.16, 6.20.17, 6.20.18, 6.20.19, 6.20.20, 6.20.21, 6.20.22, 6.20.23, 6.20.24, 6.20.25, 6.20.26, 6.20.27, 6.20.28, 6.20.29, 6.20.30, 6.20.31, 6.20.32, 6.20.33, 6.20.34, 6.20.35, 6.20.36, 6.20.37, 6.20.38, 6.20.39, 6.20.40, 6.20.41, 6.20.42, 6.20.43, 6.20.44, 7.22.4, 7.23.0, 7.23.1, 7.23.2, 7.24.0, 7.25.0, 7.26.0, 7.26.1, 7.27.0, 7.28.0, 7.28.1, 7.28.2, 7.28.3, 7.28.4, 7.29.0, 7.29.1, 7.29.2, 7.29.3, 7.30.0, 7.30.1, 7.30.2, 7.30.3, 7.30.4, 7.30.5, 7.30.6, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.0, 8.7.1, 8.8.0, 8.9.0, 8.10.0, 8.11.0, 8.11.1, 8.11.2, 8.12.0, 8.12.1, 8.12.2, 8.12.3, 8.13.0, 8.14.0, 8.15.0, 8.16.0, 8.16.1, 8.17.0, 8.17.2, 8.18.0, 8.18.1, 8.19.0, 8.20.0, 8.20.1, 8.21.0, 8.22.0, 8.22.1, 8.23.1, 8.24.0, 8.25.0, 8.26.0, 8.26.1, 8.27.0, 8.28.0, 8.28.1, 8.29.0, 8.30.0, 8.30.1, 8.31.0, 8.32.0, 8.32.1, 8.33.0, 8.33.1, 8.34.0, 8.35.0, 8.35.1, 8.36.0, 8.36.1, 8.36.2, 8.37.0, 8.38.0, 8.39.0, 8.40.0, 8.41.0, 8.42.0, 8.42.1, 8.43.0, 8.44.0, 8.45.0, 8.45.1, 8.46.0, 8.47.0, 8.48.0, 8.48.1, 8.48.2, 8.49.0, 8.49.1, 8.49.2, 8.50.0, 8.51.0, 8.52.0, 8.53.0, 8.53.1, 8.54.0, 8.55.0, 8.56.0, 8.57.0, 8.58.0, 8.59.0, 8.60.0, 8.61.0, 8.62.0, 8.63.0, 8.64.0, 8.65.0, 8.66.0, 8.67.0, 8.68.0, 8.68.1, 8.69.0, 8.70.0, 8.70.1, 8.70.2, 8.71.0, 8.72.0, 8.73.0, 8.73.1, 8.73.2, 8.74.0, 8.75.0, 8.76.0, 8.76.1, 8.76.2, 8.77.0, 8.77.1, 8.78.0, 8.78.1, 8.79.0, 8.80.0, 8.81.0, 8.82.0, 8.83.0, 8.83.1, 8.83.2, 8.83.3, 8.83.4, 8.83.5, 8.83.6, 8.83.7, 8.83.8, 8.83.9, 8.83.10, 8.83.11, 8.83.12, 8.83.13, 8.83.14, 8.83.15, 8.83.16, 8.83.17, 8.83.18, 8.83.19, 8.83.20, 8.83.21, 8.83.22, 8.83.23, 8.83.24, 8.83.25, 8.83.26, 8.83.27, 9.0.0, 9.0.1, 9.0.2, 9.1.0, 9.2.0, 9.3.0, 9.3.1, 9.4.0, 9.4.1, 9.5.0, 9.5.1, 9.6.0, 9.7.0, 9.8.0, 9.8.1, 9.9.0, 9.10.0, 9.10.1, 9.11.0, 9.12.0, 9.12.1, 9.12.2, 9.13.0, 9.14.0, 9.14.1, 9.15.0, 9.16.0, 9.17.0, 9.18.0, 9.19.0, 9.20.0, 9.21.0, 9.21.1, 9.21.2, 9.21.3, 9.21.4, 9.21.5, 9.21.6, 9.22.0, 9.22.1, 9.23.0, 9.24.0, 9.25.0, 9.25.1, 9.26.0, 9.26.1, 9.27.0, 9.28.0, 9.29.0, 9.30.0, 9.30.1, 9.31.0, 9.32.0, 9.33.0, 9.34.0, 9.35.0, 9.35.1, 9.36.0, 9.36.1, 9.36.2, 9.36.3, 9.36.4, 9.37.0, 9.38.0, 9.39.0, 9.40.0, 9.40.1, 9.41.0, 9.42.0, 9.42.1, 9.42.2, 9.43.0, 9.44.0, 9.45.0, 9.45.1, 9.46.0, 9.47.0, 9.48.0, 9.49.0, 9.50.0, 9.50.1, 9.50.2, 9.51.0, 9.52.0, 9.52.1, 9.52.2, 9.52.3, 9.52.4, 9.52.5, 9.52.6, 9.52.7, 9.52.8, 9.52.9, 9.52.10, 9.52.11, 9.52.12, 9.52.13, 9.52.14, 9.52.15, 9.52.16, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.1.0, 10.1.1, 10.1.2, 10.1.3, 10.1.4, 10.1.5, 10.2.0, 10.3.0, 10.3.1, 10.3.2, 10.3.3, 10.4.0, 10.4.1, 10.5.0, 10.5.1, 10.6.0, 10.6.1, 10.6.2, 10.7.0, 10.7.1, 10.8.0, 10.9.0, 10.10.0, 10.10.1, 10.11.0, 10.12.0, 10.13.0, 10.13.1, 10.13.2, 10.13.3, 10.13.5, 10.14.0, 10.14.1, 10.15.0, 10.16.0, 10.16.1, 10.17.0, 10.17.1, 10.18.0, 10.19.0, 10.20.0, 10.21.0, 10.21.1, 10.22.0, 10.23.0, 10.23.1, 10.24.0, 10.25.0, 10.25.1, 10.25.2, 10.26.0, 10.26.1, 10.26.2, 10.27.0, 10.28.0, 10.29.0, 10.30.0, 10.30.1, 10.31.0, 10.32.0, 10.32.1, 10.33.0, 10.34.0, 10.34.1, 10.34.2, 10.35.0, 10.36.0, 10.37.1, 10.37.2, 10.37.3, 10.38.0, 10.38.1, 10.38.2, 10.39.0, 10.40.0, 10.41.0, 10.42.0, 10.43.0, 10.44.0, 10.45.0, 10.45.1, 10.46.0, 10.47.0, 10.48.0, 10.48.1, 10.48.2, 10.48.3, 10.48.4, 10.48.5, 10.48.6, 10.48.7, 10.48.8, 10.48.9, 10.48.10, 10.48.11, 10.48.12, 10.48.13, 10.48.14, 10.48.15, 10.48.16, 10.48.17, 10.48.18, 10.48.19, 10.48.20, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 11.0.4, 11.0.5, 11.0.6, 11.0.7, 11.0.8, 11.1.0, 11.1.1, 11.2.0, 11.3.0, 11.3.1, 11.4.0, 11.5.0, 11.6.0, 11.7.0, 11.8.0, 11.9.0, 11.9.1, 11.9.2, 11.10.0, 11.11.0, 11.11.1, 11.12.0, 11.13.0, 11.14.0, 11.15.0, 11.16.0, 11.17.0, 11.18.0, 11.18.1, 11.19.0, 11.20.0, 11.21.0