9.8

CVE-2021-3129

Warnung
Exploit
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
FacadeIgnition SwPlatformlaravel Version < 2.5.2
   LaravelLaravel Version < 8.4.2

18.09.2023: CISA Known Exploited Vulnerabilities (KEV) Catalog

Laravel Ignition File Upload Vulnerability

Schwachstelle

Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents().

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 99.94% 1
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html
Third Party Advisory
Exploit
VDB Entry
http://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html
Third Party Advisory
Exploit
VDB Entry
https://github.com/facade/ignition/pull/334
Patch
Third Party Advisory
https://www.ambionics.io/blog/laravel-debug-rce
Third Party Advisory
Exploit
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3129
US Government Resource