Upgrade teknis berdasarkan composer audit pada OpenKab #791
Description
dengan malakukan upgrade ke versi 10 melalui issue ini #790 maka ada beberapa temuan dibawah diharapkan dapat terselesaikan .
Gunakan composer audit untuk mendapatkan informasi dibawah ini :
Found 7 security vulnerability advisories affecting 5 packages
+-------------------+----------------------------------------------------------------------------------+
| Package | laravel/framework |
| Severity | medium |
| CVE | CVE-2025-27515 |
| Title | Laravel has a File Validation Bypass |
| URL | GHSA-78fx-h6xr-vch4 |
| Affected versions | <10.48.29|>=11.0.0,<11.44.1|>=12.0.0,<12.1.1 |
| Reported at | 2025-03-05T19:09:39+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | laravel/framework |
| Severity | high |
| CVE | CVE-2024-52301 |
| Title | Laravel environment manipulation via query string |
| URL | GHSA-gv7v-rgg6-548h |
| Affected versions | <6.20.45|>=7.0.0,<7.30.7|>=8.0.0,<8.83.28|>=9.0.0,<9.52.17|>=10.0.0,<10.48.23|>= |
| | 11.0.0,<11.31.0 |
| Reported at | 2024-11-12T15:29:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | league/commonmark |
| Severity | medium |
| CVE | CVE-2025-46734 |
| Title | league/commonmark contains a XSS vulnerability in Attributes extension |
| URL | GHSA-3527-qv2q-pfvx |
| Affected versions | <2.7.0 |
| Reported at | 2025-05-05T20:40:36+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | league/commonmark |
| Severity | high |
| CVE | NO CVE |
| Title | league/commonmark's quadratic complexity bugs may lead to a denial of service |
| URL | GHSA-c2pc-g5qf-rfrf |
| Affected versions | <2.6.0 |
| Reported at | 2024-12-09T20:42:07+00:00 |
| Advisory ID | PKSA-fndg-qryc-dyc9 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | nesbot/carbon |
| Severity | medium |
| CVE | CVE-2025-22145 |
| Title | Carbon has an arbitrary file include via unvalidated input passed to |
| | Carbon::setLocale |
| URL | GHSA-j3f9-p6hm-5w6q |
| Affected versions | <2.72.6|>=3.0.0,<3.8.4 |
| Reported at | 2025-01-08T21:03:28+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/http-foundation |
| Severity | low |
| CVE | CVE-2024-50345 |
| Title | CVE-2024-50345: Open redirect via browser-sanitized URLs |
| URL | https://symfony.com/cve-2024-50345 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Reported at | 2024-11-05T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/process |
| Severity | high |
| CVE | CVE-2024-51736 |
| Title | CVE-2024-51736: Command execution hijack on Windows with Process class |
| URL | https://symfony.com/cve-2024-51736 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Reported at | 2024-11-05T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 3 abandoned packages:
+-------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+-------------------------+----------------------------------------------------------------------------------+
| akaunting/money | akaunting/laravel-money |
| intervention/imagecache | none |
| laravelcollective/html | spatie/laravel-html |
+-------------------------+----------------------------------------------------------------------------------+
- Kesimpulan Temuan
- 7 celah keamanan di 5 package berbeda, beberapa dengan severity High (berbahaya).
- 3 package sudah abandoned (tidak lagi dikembangkan).
- Sebagian besar masalah keamanan bisa selesai dengan update versi Laravel dan dependency lain.
- Celah ini bisa menyebabkan XSS, file validation bypass, environment manipulation, command injection, open redirect, dan file inclusion.
A. league/commonmark
Masalah & Risiko : XSS vulnerability dan DoS via quadratic complexity.
Tindakan : Update minimal ke 2.7.0 (lebih aman jika ambil versi terbaru).
B. nesbot/carbon
Masalah & Risiko : File inclusion via Carbon::setLocale.
Tindakan : Update ke 2.72.6 atau lebih baru.
C. symfony/http-foundation
Masalah : Open redirect vulnerability.
Tindakan : Update minimal ke 5.4.46 atau patch terbaru di branch 5.x/6.x sesuai Laravel.
D. symfony/process
Masalah : Command execution hijack on Windows.
Tindakan : Update minimal ke 5.4.46 atau patch terbaru.
Catatan: Karena Laravel menarik symfony/* dan nesbot/carbon sebagai dependency.