GHSA-7fjp-g4m7-fx23
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7fjp-g4m7-fx23
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-7fjp-g4m7-fx23/GHSA-7fjp-g4m7-fx23.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7fjp-g4m7-fx23
- Published
- 2021-04-13T15:12:26Z
- Modified
- 2024-12-02T05:50:00.799843Z
- Summary
- User (Encrypted) Password Field Being Serialised
- Details
-
Impact
Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed.
Patches
Issue has been patched in version 0.3.7-beta and onwards.
Workarounds
Add the 'password' field to the Users model file in the hidden array:
/** * The attributes that should be hidden for arrays. * * @var array */ protected $hidden = [ 'remember_token', 'password', ];For more information
If you have any questions or comments about this advisory: * Open an issue in pwweb/laravel-core * Email us at security@pw-websolutions.com
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-200" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2021-04-12T20:05:57Z" }- References
Affected packages
Packagist / pwweb/laravel-core
Package
- Name
- pwweb/laravel-core
- Purl
- pkg:composer/pwweb/laravel-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.3.7-beta