GHSA-8VWH-PR89-4MW2

Vulnerability from github – Published: 2024-12-13 20:35 – Updated: 2024-12-17 18:07
VLAI?
Summary
Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
Details

A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.

Impact

An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:

  • The callable is a function or static method
  • The callable has no parameters or no strict parameter types

Vulnerable Components

  • The remember(callable $query, string $key = '') method in Laravel\Pulse\Livewire\Concerns\RemembersQueries
  • Affects all Pulse card components that use this trait

Attack Vectors

The vulnerability can be exploited through Livewire component interactions, for example:

wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all', 'config')"

Credit

Thank you to Jeremy Angele for reporting this vulnerability.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/pulse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-13T20:35:43Z",
    "nvd_published_at": "2024-12-13T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public `remember()` method in the `Laravel\\Pulse\\Livewire\\Concerns\\RemembersQueries` trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application. \n\n### Impact\n\nAn authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:\n\n- The callable is a function or static method\n- The callable has no parameters or no strict parameter types\n\n### Vulnerable Components\n\n- The `remember(callable $query, string $key = \u0027\u0027)` method in `Laravel\\Pulse\\Livewire\\Concerns\\RemembersQueries`\n- Affects all Pulse card components that use this trait\n\n### Attack Vectors\n\nThe vulnerability can be exploited through Livewire component interactions, for example:\n\n```php\nwire:click=\"remember(\u0027\\\\Illuminate\\\\Support\\\\Facades\\\\Config::all\u0027, \u0027config\u0027)\"\n```\n\n### Credit\n\nThank you to Jeremy Angele for reporting this vulnerability.\n",
  "id": "GHSA-8vwh-pr89-4mw2",
  "modified": "2024-12-17T18:07:21Z",
  "published": "2024-12-13T20:35:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/laravel/pulse/security/advisories/GHSA-8vwh-pr89-4mw2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55661"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laravel/pulse/commit/d1a5bf2eca36c6e3bedb4ceecd45df7d002a1ebc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/laravel/pulse"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Laravel Pulse Allows Remote Code Execution via Unprotected Query Method"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.