Home > Vulnerability Database > CVE-2022-40482

Mend.io Vulnerability Database

CVE-2022-40482

Date: April 24, 2023

The authentication method in Laravel 8.x through 9.x before 9.32.0 was discovered to be vulnerable to user enumeration via timeless timing attacks with HTTP/2 multiplexing. This is caused by the early return inside the hasValidCredentials method in the Illuminate\Auth\SessionGuard class when a user is found to not exist.

Language: PHP

Severity Score

5.3

Related Resources (6)

Url: https://github.com/ephort/laravel-user-enumeration-demo

Url: https://ephort.dk/blog/laravel-timing-attack-vulnerability/

Url: https://github.com/laravel/framework/releases/tag/v9.32.0

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-40482

Url: https://github.com/laravel/framework/pull/44069

Url: https://www.mend.io/vulnerability-database/CVE-2022-40482

Severity Score

5.3

Weakness Type (CWE)

Observable Discrepancy

CWE-203

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-40482

Date: April 24, 2023

Language: PHP

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?