GHSA-44pg-c29v-hp6r

Source

https://github.com/advisories/GHSA-44pg-c29v-hp6r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-44pg-c29v-hp6r/GHSA-44pg-c29v-hp6r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-44pg-c29v-hp6r

Published

2024-05-15T22:18:33Z

Modified

2024-05-15T22:30:45.027899Z

Summary

Laravel Guard bypass in Eloquent models

Details

In laravel releases before 6.18.34 and 7.23.2. It was possible to mass assign Eloquent attributes that included the model's table name:

$model->fill(['users.name' => 'Taylor']);

When doing so, Eloquent would remove the table name from the attribute for you. This was a "convenience" feature of Eloquent and was not documented.

However, when paired with validation, this can lead to unexpected and unvalidated values being saved to the database. For this reason, we have removed the automatic stripping of table names from mass-asignment operations so that the attributes go through the typical "fillable" / "guarded" logic. Any attributes containing table names that are not explicitly declared as fillable will be discarded.

This security release will be a breaking change for applications that were relying on the undocumented table name stripping during mass assignment. Since this feature was relatively unknown and undocumented, we expect the vast majority of Laravel applications to be able to upgrade without issues.

References

Affected packages

Packagist / laravel/framework

Package

Name: laravel/framework
Purl: pkg:composer/laravel/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.0

Last affected

5.5.49

Affected versions

v5.*

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.5.4

v5.5.5

v5.5.6

v5.5.7

v5.5.8

v5.5.9

v5.5.10

v5.5.11

v5.5.12

v5.5.13

v5.5.14

v5.5.15

v5.5.16

v5.5.17

v5.5.18

v5.5.19

v5.5.20

v5.5.21

v5.5.22

v5.5.23

v5.5.24

v5.5.25

v5.5.26

v5.5.27

v5.5.28

v5.5.29

v5.5.30

v5.5.31

v5.5.32

v5.5.33

v5.5.34

v5.5.35

v5.5.36

v5.5.37

v5.5.38

v5.5.39

v5.5.40

v5.5.41

v5.5.42

v5.5.43

v5.5.44

v5.5.45

v5.5.46

v5.5.47

v5.5.48

v5.5.49

Packagist / laravel/framework

Package

Name: laravel/framework
Purl: pkg:composer/laravel/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.18.34

Affected versions

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.1.0

v6.2.0

v6.3.0

v6.4.0

v6.4.1

v6.5.0

v6.5.1

v6.5.2

v6.6.0

v6.6.1

v6.6.2

v6.7.0

v6.8.0

v6.9.0

v6.10.0

v6.10.1

v6.11.0

v6.12.0

v6.13.0

v6.13.1

v6.14.0

v6.15.0

v6.15.1

v6.16.0

v6.17.0

v6.17.1

v6.18.0

v6.18.1

v6.18.2

v6.18.3

v6.18.4

v6.18.5

v6.18.6

v6.18.7

v6.18.8

v6.18.9

v6.18.10

v6.18.11

v6.18.12

v6.18.13

v6.18.14

v6.18.15

v6.18.16

v6.18.17

v6.18.18

v6.18.19

v6.18.20

v6.18.21

v6.18.22

v6.18.23

v6.18.24

v6.18.25

v6.18.26

v6.18.27

v6.18.28

v6.18.29

v6.18.30

v6.18.31

v6.18.32

v6.18.33

Packagist / laravel/framework

Package

Name: laravel/framework
Purl: pkg:composer/laravel/framework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.23.2

Affected versions

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.1.0

v7.1.1

v7.1.2

v7.1.3

v7.2.0

v7.2.1

v7.2.2

v7.3.0

v7.4.0

v7.5.0

v7.5.1

v7.5.2

v7.6.0

v7.6.1

v7.6.2

v7.7.0

v7.7.1

v7.8.0

v7.8.1

v7.9.0

v7.9.1

v7.9.2

v7.10.0

v7.10.1

v7.10.2

v7.10.3

v7.11.0

v7.12.0

v7.13.0

v7.14.0

v7.14.1

v7.15.0

v7.16.0

v7.16.1

v7.17.0

v7.17.1

v7.17.2

v7.18.0

v7.19.0

v7.19.1

v7.20.0

v7.21.0

v7.22.0

v7.22.1

v7.22.2

v7.22.3

v7.22.4

v7.23.0

v7.23.1