Open mend-bolt-for-github[bot] opened 5 months ago
mend-bolt-for-github[bot]
commented
5 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-bolt-for-github[bot]
commented
2 weeks ago :information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/858add225ce88a76c43aec0e7866288321ee0ee9
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-50345
### Vulnerable Library - symfony/http-foundation-v6.3.1Defines an object-oriented layer for the HTTP specification
Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/e0ad0d153e1c20069250986cd9e9dd1ccebb0d66
Dependency Hierarchy: - laravel/framework-v9.52.10 (Root Library) - :x: **symfony/http-foundation-v6.3.1** (Vulnerable Library)
Found in base branch: main
### Vulnerability Detailssymfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-50345
### CVSS 3 Score Details (3.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp
Release Date: 2024-11-06
Fix Resolution: symfony/http-foundation - v5.4.46,v6.4.14,v7.1.7
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-52301
### Vulnerable Library - laravel/framework-v9.52.10The Laravel Framework.
Library home page: https://api.github.com/repos/laravel/framework/zipball/858add225ce88a76c43aec0e7866288321ee0ee9
Dependency Hierarchy: - :x: **laravel/framework-v9.52.10** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsLaravel is a web application framework. When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment used by the framework when handling the request. The vulnerability fixed in 6.20.45, 7.30.7, 8.83.28, 9.52.17, 10.48.23, and 11.31.0. The framework now ignores argv values for environment detection on non-cli SAPIs.
Publish Date: 2024-11-12
URL: CVE-2024-52301
### CVSS 3 Score Details (0.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/laravel/framework/security/advisories/GHSA-gv7v-rgg6-548h
Release Date: 2024-11-12
Fix Resolution: laravel/framework-6.20.45,7.30.7,8.83.28,9.52.17,10.48.23,11.31.0
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-51736
### Vulnerable Library - symfony/process-v6.3.0Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/8741e3ed7fe2e91ec099e02446fb86667a0f1628
Dependency Hierarchy: - laravel/framework-v9.52.10 (Root Library) - :x: **symfony/process-v6.3.0** (Vulnerable Library)
Found in base branch: main
### Vulnerability DetailsSymphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
### CVSS 3 Score Details (0.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2024-11-06
Fix Resolution: symfony/process - v5.4.46,v6.4.14,v7.1.7
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)