CVE-2020-24940: Guard bypass in Eloquent models affecting Laravel illuminate database component

May 24, 2022 (updated May 15, 2024)

An issue was discovered in Laravel before 6.18.34 and 7.x before 7.23.2. Unvalidated values are saved to the database component in some situations in which table names are stripped during a mass assignment.

References

blog.laravel.com/security-release-laravel-61834-7232
github.com/FriendsOfPHP/security-advisories/blob/master/illuminate/database/CVE-2020-24940.yaml
github.com/advisories/GHSA-c7rm-w2hj-x8g3
github.com/illuminate/database
nvd.nist.gov/vuln/detail/CVE-2020-24940

Code Behaviors & Features

Detect and mitigate CVE-2020-24940 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →