Token Verification Flaw in Laravel Framework by Taylor Otwell
CVE-2017-14775

5.9MEDIUM

Key Information:

Vendor

Laravel

Status
Laravel
Vendor
CVE Published:
28 September 2017

What is CVE-2017-14775?

The Laravel Framework versions prior to 5.5.10 exhibit a security weakness in the remember_me token verification process. Specifically, the DatabaseUserProvider fails to implement constant-time token comparison, making the application susceptible to timing attacks. This vulnerability could potentially allow an attacker to bypass security mechanisms, thereby jeopardizing user account integrity.

References

https://github.com/laravel/framework/releases/tag/v5.5.10
x_refsource_CONFIRM
https://github.com/laravel/framework/pull/21320
x_refsource_CONFIRM
https://laravel-news.com/laravel-v5-5-11
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability Reserved

  • Vulnerability published

.
CVE-2017-14775 : Token Verification Flaw in Laravel Framework by Taylor Otwell