Merge pull request #129 from AikidoSec/new-in-vimeo

new vuln in laravel/framework
AikidoSec · Jan 31, 2025 · 9beaa89 · 9beaa89
2 parents 3c54656 + 874abe1
commit 9beaa89
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/vulnerabilities/AIKIDO-2025-10064.json b/vulnerabilities/AIKIDO-2025-10064.json
@@ -0,0 +1,27 @@
+{
+  "package_name": "laravel/framework",
+  "patch_versions": [
+    "11.41.1"
+  ],
+  "vulnerable_ranges": [
+    [
+      "8.16.0",
+      "11.41.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-532"
+  ],
+  "tldr": "Affected versions of this package expose sensitive information in log files by improperly logging confidential variables. When running `php artisan db` in a shell where the `mysql` binary is unavailable, an error occurs and is logged at the error level. Third-party logging services like Sentry may capture this error, resulting in database credentials, including the password, being displayed and stored in plain text.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `laravel/framework` library to the patch version.",
+  "reporter": "",
+  "vulnerable_to": "Insertion of Sensitive Information into Log File",
+  "related_cve_id": "",
+  "language": "php",
+  "severity_class": "LOW",
+  "aikido_score": 7,
+  "changelog": "https://github.com/laravel/framework/releases/tag/v11.41.1",
+  "last_modified": "2025-01-31",
+  "published": "2025-01-31"
+}