GMS-2021-55: User (Encrypted) Password Field Being Serialised

April 13, 2021

Impact

Leaking Password field during serialisation of the User model. Password is in the encrypted form but if User model is requested in json or array form the value is printed.

Patches

Issue has been patched in version 0.3.7-beta and onwards.

Workarounds

Add the ‘password’ field to the Users model file in the hidden array:


    /**
     * The attributes that should be hidden for arrays.
     *
     * @var array
     */
    protected $hidden = [
        'remember_token',
        'password',
    ];

For more information

If you have any questions or comments about this advisory:

Open an issue in pwweb/laravel-core
Email us at security@pw-websolutions.com

References

github.com/advisories/GHSA-7fjp-g4m7-fx23
github.com/pwweb/laravel-core/security/advisories/GHSA-7fjp-g4m7-fx23

Detect and mitigate GMS-2021-55 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →