Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmanAtZzRtNy1meDIz

User (Encrypted) Password Field Being Serialised

Impact

Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed.

Patches

Issue has been patched in version 0.3.7-beta and onwards.

Workarounds

Add the 'password' field to the Users model file in the hidden array:


    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = [
        'remember_token',
        'password',
    ];

For more information

If you have any questions or comments about this advisory:

Open an issue in pwweb/laravel-core
Email us at [email protected]

Permalink: https://github.com/advisories/GHSA-7fjp-g4m7-fx23
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmanAtZzRtNy1meDIz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago

Identifiers: GHSA-7fjp-g4m7-fx23
References:

Repository: https://github.com/pwweb/laravel-core
Blast Radius: 0.0

Affected Packages

packagist:pwweb/laravel-core

Dependent packages: 1
Dependent repositories: 1
Downloads: 572 total
Affected Version Ranges: <= 0.3.6-beta
Fixed in: 0.3.7-beta
All affected versions:
All unaffected versions: