CVE-2021-43617 – laravel/framework

Package

Manager: composer
Name: laravel/framework
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: N/A

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.50067 pctl0.97733

Details

Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content. # Withdrawn This advisory has been withdrawn after the maintainers of Laravel noted this issue is not a security vulnerability with Laravel itself, but rather a userland issue. ## Original CVE based description Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. In some use cases, this may be related to file-type validation for image upload (e.g., differences between getClientOriginalExtension and other approaches).

Metadata

Created: 2021-11-16T23:40:08Z
Modified: 2021-11-17T22:04:33Z
Source: MANUAL
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-364w-9g92-3grq
Finding: N/A
Auto approve: 0