CVE-2022-40482

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
25/04/2023
Last modified:
30/05/2025

Description

The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:laravel:framework:*:*:*:*:*:*:*:* 8.0.0 (including) 8.83.24 (excluding)
cpe:2.3:a:laravel:framework:*:*:*:*:*:*:*:* 9.0.0 (including) 9.32.0 (excluding)