Open mend-bolt-for-github[bot] opened 1 year ago
mend-bolt-for-github[bot]
commented
1 year ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-bolt-for-github[bot]
commented
7 months ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
[READ ONLY] Subtree split of the Illuminate Database component (see laravel/framework)
Found in HEAD commit: 89ce8756022dac6df1c50b234f7e55dcc3e953ac
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-24941
### Vulnerable Library - illuminate/database-v5.4.36[READ ONLY] Subtree split of the Illuminate Database component (see laravel/framework)
Dependency Hierarchy: - :x: **illuminate/database-v5.4.36** (Vulnerable Library)
Found in HEAD commit: 89ce8756022dac6df1c50b234f7e55dcc3e953ac
Found in base branch: master
### Vulnerability DetailsAn issue was discovered in Laravel before 6.18.35 and 7.x before 7.24.0. The $guarded property is mishandled in some situations involving requests with JSON column nesting expressions.
Publish Date: 2020-09-04
URL: CVE-2020-24941
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-w68r-5p45-5rqp
Release Date: 2020-09-11
Fix Resolution: v6.18.35,v7.24.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2021-21263
### Vulnerable Library - illuminate/database-v5.4.36[READ ONLY] Subtree split of the Illuminate Database component (see laravel/framework)
Dependency Hierarchy: - :x: **illuminate/database-v5.4.36** (Vulnerable Library)
Found in HEAD commit: 89ce8756022dac6df1c50b234f7e55dcc3e953ac
Found in base branch: master
### Vulnerability DetailsLaravel is a web application framework. Versions of Laravel before 6.20.11, 7.30.2 and 8.22.1 contain a query binding exploitation. This same exploit applies to the illuminate/database package which is used by Laravel. If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
Publish Date: 2021-01-19
URL: CVE-2021-21263
### CVSS 3 Score Details (7.2)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x
Release Date: 2021-01-19
Fix Resolution: v6.20.11,v7.30.2,v8.22.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)