CVE-2021-3129: Laravel Arbitrary Code Vulnerability Alert

Ignition is a beautiful and customizable error page for Laravel applications running on Laravel 5.5 and newer. It is the default error page for all Laravel 6 applications. It also allows to publicly share your errors on Flare. If configured with a valid Flare API key, your errors in production applications will be tracked, and you’ll get notified when they happen.

On January 13, 2021, the Ambionics Security team detected a remote code execution vulnerability in the Laravel component. The vulnerability number is CVE-2021-3129.

Vulnerability Detail

The vulnerability is due to the fact that in debug mode, certain interfaces of Laravel’s built-in Ignition function do not strictly filter the input data, allowing attackers to use malicious log files to cause phar deserialization attacks, execute arbitrary malicious code, and finally obtain server permissions.

Affected version

  • Laravel < 8.4.3
  • Facade ignition < 2.5.2

Solution

The latest security patch has been officially released. It is recommended that affected users upgrade the Laravel framework to 8.4.3 and above, or upgrade the Facade Ignition component to 2.5.2 and above