Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-wq8p-mqvg-2p5h: laravel framework SQL Injection via limit and offset functions

Impact

Those using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability.

Patches

This problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0.

Workarounds

You may workaround this vulnerability by ensuring that only integers are passed to the limit and offset functions, as well as the skip and take functions.

ghsa
#sql#vulnerability#git#php#postgres
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-wq8p-mqvg-2p5h

laravel framework SQL Injection via limit and offset functions

High severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

composer laravel/framework (Composer)

Affected versions

>= 6.0.0, < 6.20.26

>= 7.0.0, < 7.30.5

>= 8.0.0, < 8.40.0

Patched versions

6.20.26

7.30.5

8.40.0

Impact

Those using SQL Server with Laravel and allowing user input to be passed directly to the limit and offset functions are vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability.

Patches

This problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0.

Workarounds

You may workaround this vulnerability by ensuring that only integers are passed to the limit and offset functions, as well as the skip and take functions.

References

  • GHSA-4mg9-vhxq-vm7j
  • https://github.com/FriendsOfPHP/security-advisories/blob/master/laravel/framework/2021-04-28.yaml

Published to the GitHub Advisory Database

May 15, 2024

Last updated

May 15, 2024

ghsa: Latest News

GHSA-gppm-hq3p-h4rp: Git credentials are exposed in Atlantis logs