CVE-2022-31140

Name of the Vulnerable Software and Affected Versions Valinor versions prior to 0.12.0

Description Valinor is a PHP library that helps to map any input into a strongly-typed value object structure. Prior to version 0.12.0, Valinor can use Throwable#getMessage() when it should not have permission to do so. This is a problem with cases such as an SQL exception showing an SQL snippet, a database connection exception showing database IP address/username/password, or a timeout detail / out of memory detail. Attackers could use this information for potential data exfiltration, denial of service attacks, enumeration attacks, etc.

Recommendations For versions prior to 0.12.0, update to version 0.12.0 to resolve the issue. As a temporary workaround, consider restricting access to sensitive information that could be exposed through Throwable#getMessage(). Avoid using Throwable#getMessage() in cases where sensitive information could be revealed, such as SQL exceptions or database connection exceptions.