Description

Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. Prior to 1.4.0, there is an issue where verification signatures for requests sent to Reverb's Pusher-compatible API were not being verified. This API is used in scenarios such as broadcasting a message from a backend service or for obtaining statistical information (such as number of connections) about a given channel. This issue only affects the Pusher-compatible API endpoints and not the WebSocket connections themselves. In order to exploit this vulnerability, the application ID which, should never be exposed, would need to be known by an attacker. This vulnerability is fixed in 1.4.0.

INFO

Published Date :

2024-10-31T17:56:41.503Z

Last Modified :

2024-10-31T19:46:33.780Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-50347 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-50347.

URL Resource
https://github.com/laravel/reverb/commit/73cc140d76e803b151fc2dd2e4eb3eb784a82ee2 cve-icon cve-icon
https://github.com/laravel/reverb/pull/252 cve-icon cve-icon
https://github.com/laravel/reverb/releases/tag/v1.4.0 cve-icon cve-icon
https://github.com/laravel/reverb/security/advisories/GHSA-pfrr-xvrf-pxjx cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability