Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/illuminate/database@8.23.1
Typecomposer
Namespaceilluminate
Namedatabase
Version8.23.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version8.40.0
Latest_non_vulnerable_version8.40.0
Affected_by_vulnerabilities
0
url VCID-wptp-4xv5-43du
vulnerability_id VCID-wptp-4xv5-43du
summary 
Unexpected database bindings
This is a follow-up to the previous security advisory (GHSA-3p32-j457-pg5x) which addresses a few additional edge cases.

If a request is crafted where a field that is normally a non-array value is an array, and that input is not validated or cast to its expected type before being passed to the query builder, an unexpected number of query bindings can be added to the query. In some situations, this will simply lead to no results being returned by the query builder; however, it is possible certain queries could be affected in a way that causes the query to return unexpected results.
references
0
reference_url https://packagist.org/packages/illuminate/database
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/illuminate/database
1
reference_url https://packagist.org/packages/laravel/framework
reference_id
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/laravel/framework
2
reference_url https://github.com/advisories/GHSA-3p32-j457-pg5x
reference_id GHSA-3p32-j457-pg5x
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-3p32-j457-pg5x
3
reference_url https://github.com/advisories/GHSA-x7p5-p2c9-phvg
reference_id GHSA-x7p5-p2c9-phvg
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x7p5-p2c9-phvg
4
reference_url https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg
reference_id GHSA-x7p5-p2c9-phvg
reference_type
scores
0
value 7.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg
fixed_packages
0
url pkg:composer/illuminate/database@8.24.0
purl pkg:composer/illuminate/database@8.24.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-zj39-eevs-kug3
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/illuminate/database@8.24.0
aliases GHSA-x7p5-p2c9-phvg, GMS-2021-114, GMS-2021-116
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wptp-4xv5-43du
1
url VCID-zj39-eevs-kug3
vulnerability_id VCID-zj39-eevs-kug3
summary 
SQL Server LIMIT / OFFSET SQL Injection in laravel/framework and illuminate/database
### Impact

Those using SQL Server with Laravel and allowing user input to be passed directly to the `limit` and `offset` functions is vulnerable to SQL injection. Other database drivers such as MySQL and Postgres are not affected by this vulnerability.

### Patches

This problem has been patched on Laravel versions 6.20.26, 7.30.5, and 8.40.0.

### Workarounds

You may workaround this vulnerability by ensuring that only integers are passed to the `limit` and `offset` functions, as well as the `skip` and `take` functions.
references
0
reference_url https://github.com/laravel/framework
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/laravel/framework
1
reference_url https://packagist.org/packages/illuminate/database
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/illuminate/database
2
reference_url https://packagist.org/packages/laravel/framework
reference_id
reference_type
scores
0
value HIGH
scoring_system generic_textual
scoring_elements
url https://packagist.org/packages/laravel/framework
3
reference_url https://github.com/advisories/GHSA-4mg9-vhxq-vm7j
reference_id GHSA-4mg9-vhxq-vm7j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4mg9-vhxq-vm7j
4
reference_url https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j
reference_id GHSA-4mg9-vhxq-vm7j
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/laravel/framework/security/advisories/GHSA-4mg9-vhxq-vm7j
fixed_packages
0
url pkg:composer/illuminate/database@8.40.0
purl pkg:composer/illuminate/database@8.40.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/illuminate/database@8.40.0
aliases GHSA-4mg9-vhxq-vm7j, GMS-2021-113, GMS-2021-115
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zj39-eevs-kug3
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/illuminate/database@8.23.1