CVE-2024-50347

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50347
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50347.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-50347
Aliases
Published
2024-10-31T18:15:05Z
Modified
2024-11-01T14:48:27.029928Z
Summary
[none]
Details

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as broadcasting a message from a backend service or for obtaining statistical information (such as number of connections) about a given channel. This issue only affects the Pusher-compatible API endpoints and not the WebSocket connections themselves. In order to exploit this vulnerability, the application ID which, should never be exposed, would need to be known by an attacker. This vulnerability is fixed in 1.4.0.

References

Affected packages

Git / github.com/laravel/reverb

Affected ranges

Type
GIT
Repo
https://github.com/laravel/reverb
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
73cc140d76e803b151fc2dd2e4eb3eb784a82ee2

Affected versions

v1.*

v1.0.0
v1.0.0-beta1
v1.0.0-beta10
v1.0.0-beta11
v1.0.0-beta12
v1.0.0-beta13
v1.0.0-beta14
v1.0.0-beta2
v1.0.0-beta3
v1.0.0-beta4
v1.0.0-beta5
v1.0.0-beta6
v1.0.0-beta7
v1.0.0-beta8
v1.0.0-beta9
v1.1.0
v1.2.0
v1.3.0
v1.3.1