Esta página aún no ha sido traducida a tu idioma. Mostrando contenido en inglés mientras trabajamos en ello.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2024-3090: RCE in Illuminate Cookie Session Driver
Plataforma
php
Componente
open-source-vulnerabilities
Corregido en
1.0.1
CVE-2024-3090 is a critical Remote Code Execution (RCE) vulnerability impacting applications utilizing the "cookie" session driver within the Illuminate framework. This vulnerability arises when an encryption oracle is exposed, enabling attackers to potentially execute arbitrary code on the server. The vulnerability affects versions of the Illuminate Cookie component up to and including v6.8.0, with a particular focus on applications running Laravel 5.5 and earlier.
Impacto y Escenarios de Ataquetraduciendo…
The primary impact of CVE-2024-3090 is the potential for remote code execution. An attacker exploiting this vulnerability can leverage an encryption oracle – a mechanism where user input influences encryption behavior – to gain control of the affected server. This could lead to complete system compromise, including data exfiltration, modification of sensitive information, and installation of malicious software. The blast radius extends to any data accessible by the application, and depending on the server's configuration, could allow for lateral movement to other systems within the network. This vulnerability shares similarities with other encryption oracle exploits, highlighting the importance of secure encryption practices.
Contexto de Explotacióntraduciendo…
CVE-2024-3090 was published on May 15, 2024. Its severity is rated as CRITICAL (CVSS 9.5). Public proof-of-concept (POC) code is likely to emerge given the vulnerability's nature and the high CVSS score. The vulnerability is not currently listed on KEV or EPSS, suggesting no immediate widespread exploitation campaigns are known. Refer to the official Laravel security advisory for further details and updates.
Inteligencia de Amenazas
Estado del Exploit
EPSS
0.09% (26% percentil)
Vector CVSS
¿Qué significan estas métricas?
- Attack Vector
- Red — explotable remotamente por internet. Sin acceso físico ni local. Mayor superficie de ataque.
- Attack Complexity
- Baja — sin condiciones especiales. El atacante puede explotar de forma confiable sin configuraciones raras.
- Privileges Required
- Alto — se requiere cuenta de administrador o privilegiada.
- User Interaction
- Requerida — la víctima debe abrir un archivo, hacer clic en un enlace o visitar una página.
- Scope
- Sin cambio — el impacto se limita al componente vulnerable.
- Confidentiality
- Ninguno — sin impacto en confidencialidad.
- Integrity
- Bajo — el atacante puede modificar algunos datos con alcance limitado.
- Availability
- Ninguno — sin impacto en disponibilidad.
Software Afectado
Clasificación de Debilidad (CWE)
Cronología
- Publicada
- Modificada
- EPSS actualizado
Mitigación y Workaroundstraduciendo…
The primary mitigation for CVE-2024-3090 is to upgrade the Illuminate Cookie component to version 6.18.31 or later. For applications running Laravel 5.5 and earlier, which do not receive security updates, the recommended workaround is to avoid using the "cookie" session driver in production deployments. Consider alternative session drivers like 'file' or 'database'. If immediate upgrade is not possible, implement strict input validation and sanitization to prevent manipulation of encryption parameters. Monitor application logs for unusual encryption-related activity. After upgrade, confirm the fix by attempting to trigger the encryption oracle scenario and verifying that it no longer results in code execution.
Cómo corregirlotraduciendo…
Actualice el Emergency Ambulance Hiring Portal a una versión parcheada que solucione la vulnerabilidad XSS. Si no hay una versión disponible, filtre y escape las entradas del usuario en el archivo /admin/add-ambulance.php, especialmente los campos 'Ambulance Reg No' y 'Driver Name', para evitar la inyección de código malicioso.
Preguntas frecuentestraduciendo…
What is CVE-2024-3090 — RCE in Illuminate Cookie Session Driver?
CVE-2024-3090 is a critical Remote Code Execution vulnerability affecting applications using the 'cookie' session driver in the Illuminate framework, specifically versions up to 6.8.0. An encryption oracle allows attackers to execute arbitrary code.
Am I affected by CVE-2024-3090 in Illuminate Cookie Session Driver?
You are affected if your application uses the 'cookie' session driver with Illuminate Cookie versions 6.8.0 or earlier, especially if running Laravel 5.5 or earlier, which lacks security updates.
How do I fix CVE-2024-3090 in Illuminate Cookie Session Driver?
Upgrade the Illuminate Cookie component to version 6.18.31 or later. If upgrading is not immediately possible, avoid using the 'cookie' session driver in production, particularly in Laravel 5.5 and earlier.
Is CVE-2024-3090 being actively exploited?
While no widespread exploitation campaigns are currently known, the high CVSS score and potential for POC code suggest active exploitation is possible. Monitor your systems closely.
Where can I find the official Illuminate advisory for CVE-2024-3090?
Refer to the official Laravel security advisory for detailed information and updates regarding CVE-2024-3090: https://laravel.com/docs/releases/security
¿Tu proyecto está afectado?
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Pruébalo ahora — sin cuenta
Sube cualquier manifiesto (composer.lock, package-lock.json, lista de plugins WordPress…) o pega tu lista de componentes. Recibís un reporte de vulnerabilidades al instante. Subir un archivo es solo el primer paso: con una cuenta tenés monitoreo continuo, alertas en tu canal, multi-proyecto y reportes white-label.
Arrastra y suelta tu archivo de dependencias
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...