CVE-2021-3129 – facade/ignition

Package

Manager: composer
Name: facade/ignition
Vulnerable Version: >=2.5.0 <2.5.2 || >=2.0.0 <2.4.2 || >=1.7.0 <1.16.14 || >=0 <1.6.15

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.94287 pctl0.99933

Details

Unauthenticated remote code execution in Ignition Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Metadata

Created: 2021-03-29T20:23:46Z
Modified: 2021-03-23T00:13:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-4qwp-7c67-jmcc/GHSA-4qwp-7c67-jmcc.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-4qwp-7c67-jmcc
Finding: F422
Auto approve: 1