GHSA-4qwp-7c67-jmcc

Source

https://github.com/advisories/GHSA-4qwp-7c67-jmcc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-4qwp-7c67-jmcc/GHSA-4qwp-7c67-jmcc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4qwp-7c67-jmcc

Aliases

CVE-2021-3129

Published

2021-03-29T20:23:46Z

Modified

2023-11-08T04:05:47.674943Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Unauthenticated remote code execution in Ignition

Details

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents() and fileputcontents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Database specific

{
    "nvd_published_at": "2021-01-12T15:15:00Z",
    "github_reviewed_at": "2021-03-23T00:13:45Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94"
    ]
}

References

Affected packages

Packagist / facade/ignition

Package

Name: facade/ignition
Purl: pkg:composer/facade/ignition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.0

Fixed

2.5.2

Affected versions

2.*

2.5.0

2.5.1

Packagist / facade/ignition

Package

Name: facade/ignition
Purl: pkg:composer/facade/ignition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.4.2

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.1.0

2.2.0

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.4.0

2.4.1

Packagist / facade/ignition

Package

Name: facade/ignition
Purl: pkg:composer/facade/ignition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.7.0

Fixed

1.16.14

Affected versions

1.*

1.7.0

1.7.1

1.8.0

1.8.1

1.8.2

1.8.4

1.9.0

1.9.1

1.9.2

1.10.0

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.13.0

1.13.1

1.14.0

1.15.0

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

Packagist / facade/ignition

Package

Name: facade/ignition
Purl: pkg:composer/facade/ignition

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.15

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1

1.2.0

1.3.0

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.5.0

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10