CVE-2022-40482

Exploit

EPSS 0.3%
Published 25.04.2023 19:15:10
Last modified 30.05.2025 19:06:45
Source cve@mitre.org
Teams watchlist Login
Open Login

The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.

Affected products Warnungen 0 Metrics 3 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Laravel ≫ Framework Version >= 8.0.0 < 8.83.24

Laravel ≫ Framework Version >= 9.0.0 < 9.32.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.3%	0.527

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://ephort.dk/blog/laravel-timing-attack-vulnerability/

Third Party Advisory

Exploit

Technical Description

https://github.com/ephort/laravel-user-enumeration-demo

Third Party Advisory

Exploit

https://github.com/laravel/framework/pull/44069

Patch

Vendor Advisory

https://github.com/laravel/framework/releases/tag/v9.32.0

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2022-40482

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-40482

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-40482

EUVD