CVE-2018-15133

Laravel Deserialization of Untrusted Data Vulnerability

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

*SSVC

Descriptions

In Laravel Framework through 5.5.40 and 5.6.x through 5.6.29, remote code execution might occur as a result of an unserialize call on a potentially untrusted X-XSRF-TOKEN value. This involves the decrypt method in Illuminate/Encryption/Encrypter.php and PendingBroadcast in gadgetchains/Laravel/RCE/3/chain.php in phpggc. The attacker must know the application key, which normally would never occur, but could happen if the attacker previously had privileged access or successfully accomplished a previous attack.

En Laravel Framework hasta la versión 5.5.40 y versiones 5.6.x hasta la 5.6.29, podría ocurrir una ejecución remota de código como resultado de una llamada unserialize en un valor X-XSRF-TOKEN que podría no ser fiable. Esto está relacionado con el método decrypt en Illuminate/Encryption/Encrypter.php y PendingBroadcast en gadgetchains/Laravel/RCE/3/chain.php en phpggc. Le atacante debe conocer la clave de la aplicación, algo que normalmente nunca sucedería, pero podría pasar si el atacante tuviese acceso privilegiado o lograse de forma exitosa un ataque anterior.

Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-07 CVE Reserved
2018-08-09 CVE Published
2019-05-17 First Exploit
2024-01-16 Exploited in Wild
2024-02-06 KEV Due Date
2024-08-05 CVE Updated
2024-11-12 EPSS Updated

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (9)

URL	Tag	Source
http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html	X_refsource_misc
https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0

URL	Date	SRC
https://www.exploit-db.com/exploits/47129	2019-07-16
https://github.com/kozmic/laravel-poc-CVE-2018-15133	2024-03-10
https://github.com/AzhariKun/CVE-2018-15133	2021-01-08
https://github.com/Bilelxdz/Laravel-CVE-2018-15133	2019-05-17
https://github.com/AlienX2001/better-poc-for-CVE-2018-15133	2020-12-05
https://github.com/NatteeSetobol/CVE-2018-15133-Lavel-Expliot	2021-12-28

URL	Date	SRC

URL	Date	SRC
https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30	2018-08-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Laravel Search vendor "Laravel"		Laravel Search vendor "Laravel" for product "Laravel"				<= 5.5.40 Search vendor "Laravel" for product "Laravel" and version " <= 5.5.40"		-		Affected
Laravel Search vendor "Laravel"		Laravel Search vendor "Laravel" for product "Laravel"				>= 5.6.0 <= 5.6.29 Search vendor "Laravel" for product "Laravel" and version " >= 5.6.0 <= 5.6.29"		-		Affected