Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRxd3AtN2M2Ny1qbWNj
Unauthenticated remote code execution in Ignition
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Permalink: https://github.com/advisories/GHSA-4qwp-7c67-jmccJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRxd3AtN2M2Ny1qbWNj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-4qwp-7c67-jmcc, CVE-2021-3129
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-3129
- https://github.com/facade/ignition/pull/334
- https://github.com/facade/ignition/commit/11ffca14abd22db779d90b12e193f8000f6d184b
- https://www.ambionics.io/blog/laravel-debug-rce
- https://github.com/FriendsOfPHP/security-advisories/blob/master/facade/ignition/CVE-2021-3129.yaml
- http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html
- https://github.com/advisories/GHSA-4qwp-7c67-jmcc
Blast Radius: 52.2
Affected Packages
packagist:facade/ignition
Dependent packages: 599Dependent repositories: 209,863
Downloads: 93,245,823 total
Affected Version Ranges: < 1.6.15, >= 1.7.0, < 1.16.14, >= 2.0.0, < 2.4.2, >= 2.5.0, < 2.5.2
Fixed in: 1.6.15, 1.16.14, 2.4.2, 2.5.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.2.0, 1.3.0, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.7.0, 1.7.1, 1.8.0, 1.8.1, 1.8.2, 1.8.4, 1.9.0, 1.9.1, 1.9.2, 1.10.0, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.13.0, 1.13.1, 1.14.0, 1.15.0, 1.16.0, 1.16.1, 1.16.2, 1.16.3, 1.16.4, 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.4.0, 2.4.1, 2.5.0, 2.5.1
All unaffected versions: 1.6.15, 1.16.14, 1.16.15, 1.17.0, 1.18.0, 1.18.1, 2.4.2, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.10.0, 2.10.1, 2.10.2, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.12.0, 2.12.1, 2.13.0, 2.13.1, 2.14.0, 2.14.1, 2.15.0, 2.16.0, 2.16.1, 2.17.0, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 2.17.6, 2.17.7