ghsa-8vwh-pr89-4mw2
Vulnerability from github
Published
2024-12-13 20:35
Modified
2024-12-17 18:07
Summary
Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
Details

A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public remember() method in the Laravel\Pulse\Livewire\Concerns\RemembersQueries trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application.

Impact

An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:

  • The callable is a function or static method
  • The callable has no parameters or no strict parameter types

Vulnerable Components

  • The remember(callable $query, string $key = '') method in Laravel\Pulse\Livewire\Concerns\RemembersQueries
  • Affects all Pulse card components that use this trait

Attack Vectors

The vulnerability can be exploited through Livewire component interactions, for example:

php wire:click="remember('\\Illuminate\\Support\\Facades\\Config::all', 'config')"

Credit

Thank you to Jeremy Angele for reporting this vulnerability.

Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "laravel/pulse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-55661"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-13T20:35:43Z",
    "nvd_published_at": "2024-12-13T16:15:27Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability has been discovered in Laravel Pulse that could allow remote code execution through the public `remember()` method in the `Laravel\\Pulse\\Livewire\\Concerns\\RemembersQueries` trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application. \n\n### Impact\n\nAn authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method that meets the following criteria:\n\n- The callable is a function or static method\n- The callable has no parameters or no strict parameter types\n\n### Vulnerable Components\n\n- The `remember(callable $query, string $key = \u0027\u0027)` method in `Laravel\\Pulse\\Livewire\\Concerns\\RemembersQueries`\n- Affects all Pulse card components that use this trait\n\n### Attack Vectors\n\nThe vulnerability can be exploited through Livewire component interactions, for example:\n\n```php\nwire:click=\"remember(\u0027\\\\Illuminate\\\\Support\\\\Facades\\\\Config::all\u0027, \u0027config\u0027)\"\n```\n\n### Credit\n\nThank you to Jeremy Angele for reporting this vulnerability.\n",
  "id": "GHSA-8vwh-pr89-4mw2",
  "modified": "2024-12-17T18:07:21Z",
  "published": "2024-12-13T20:35:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/laravel/pulse/security/advisories/GHSA-8vwh-pr89-4mw2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55661"
    },
    {
      "type": "WEB",
      "url": "https://github.com/laravel/pulse/commit/d1a5bf2eca36c6e3bedb4ceecd45df7d002a1ebc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/laravel/pulse"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Laravel Pulse Allows Remote Code Execution via Unprotected Query Method"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.