Laravel environment manipulation via query string
Package
Affected versions
< 6.20.45
>= 7.0.0, < 7.30.7
>= 8.0.0, < 8.83.28
>= 9.0.0, < 9.52.17
>= 10.0.0, < 10.48.23
>= 11.0.0, < 11.31.0
Patched versions
6.20.45
7.30.7
8.83.28
9.52.17
10.48.23
11.31.0
Description
Published by the National Vulnerability Database
Nov 12, 2024
Published to the GitHub Advisory Database
Nov 12, 2024
Reviewed
Nov 12, 2024
Last updated
Dec 21, 2024
Description
When the
register_argc_argv php
directive is set toon
, and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request.Resolution
The framework now ignores argv values for environment detection on non-cli SAPIs.
References