CVE-2024-3090: RCE in Illuminate Cookie Session Driver
Platform
php
Component
open-source-vulnerabilities
Fixed in
1.0.1
CVE-2024-3090 is a critical Remote Code Execution (RCE) vulnerability impacting applications utilizing the "cookie" session driver within the Illuminate framework. This vulnerability arises when an encryption oracle is exposed, enabling attackers to potentially execute arbitrary code on the server. The vulnerability affects versions of the Illuminate Cookie component up to and including v6.8.0, with a particular focus on applications running Laravel 5.5 and earlier.
Impact and Attack Scenarios
The primary impact of CVE-2024-3090 is the potential for remote code execution. An attacker exploiting this vulnerability can leverage an encryption oracle – a mechanism where user input influences encryption behavior – to gain control of the affected server. This could lead to complete system compromise, including data exfiltration, modification of sensitive information, and installation of malicious software. The blast radius extends to any data accessible by the application, and depending on the server's configuration, could allow for lateral movement to other systems within the network. This vulnerability shares similarities with other encryption oracle exploits, highlighting the importance of secure encryption practices.
Exploitation Context
CVE-2024-3090 was published on May 15, 2024. Its severity is rated as CRITICAL (CVSS 9.5). Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and the high CVSS score. The vulnerability is not currently listed on KEV or EPSS, suggesting no immediate widespread exploitation campaigns are known. Refer to the official Laravel security advisory for further details and updates.
Threat Intelligence
Exploit Status
EPSS
0.09% (26% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- Required — victim must take an action: open a file, click a link, or visit a crafted page.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2024-3090 is to upgrade the Illuminate Cookie component to version 6.18.31 or later. For applications running Laravel 5.5 and earlier, which do not receive security updates, the recommended workaround is to avoid using the "cookie" session driver in production deployments. Consider alternative session drivers like 'file' or 'database'. If immediate upgrade is not possible, implement strict input validation and sanitization to prevent manipulation of encryption parameters. Monitor application logs for unusual encryption-related activity. After upgrade, confirm the fix by attempting to trigger the encryption oracle scenario and verifying that it no longer results in code execution.
How to fix
Actualice el Emergency Ambulance Hiring Portal a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, filtre y escape las entradas del usuario en el archivo /admin/add-ambulance.php, especialmente los campos 'Ambulance Reg No' y 'Driver Name', para evitar la inyección de código malicioso.
Frequently asked questions
What is CVE-2024-3090 — RCE in Illuminate Cookie Session Driver?
CVE-2024-3090 is a critical Remote Code Execution vulnerability affecting applications using the 'cookie' session driver in the Illuminate framework, specifically versions up to 6.8.0. An encryption oracle allows attackers to execute arbitrary code.
Am I affected by CVE-2024-3090 in Illuminate Cookie Session Driver?
You are affected if your application uses the 'cookie' session driver with Illuminate Cookie versions 6.8.0 or earlier, especially if running Laravel 5.5 or earlier, which lacks security updates.
How do I fix CVE-2024-3090 in Illuminate Cookie Session Driver?
Upgrade the Illuminate Cookie component to version 6.18.31 or later. If upgrading is not immediately possible, avoid using the 'cookie' session driver in production, particularly in Laravel 5.5 and earlier.
Is CVE-2024-3090 being actively exploited?
While no widespread exploitation campaigns are currently known, the high CVSS score and potential for POC code suggest active exploitation is possible. Monitor your systems closely.
Where can I find the official Illuminate advisory for CVE-2024-3090?
Refer to the official Laravel security advisory for detailed information and updates regarding CVE-2024-3090: https://laravel.com/docs/releases/security
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Try it now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...