CVE-2017-14775: Close remember_me Timing Attack Vector

September 27, 2017 (updated October 10, 2017)

This package mishandles the remember_me token verification process because DatabaseUserProvider does not have constant-time token comparison.

References

github.com/laravel/framework/pull/21320
github.com/laravel/framework/releases/tag/v5.5.10
laravel-news.com/laravel-v5-5-11

Detect and mitigate CVE-2017-14775 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →