CVE-2021-3129
Laravel Ignition File Upload Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
36Exploited in Wild
YesDecision
Descriptions
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Ignition versiones anteriores a 2.5.2, como es usado en Laravel y otros productos, permite a atacantes remotos no autenticados ejecutar código arbitrario debido a un uso no seguro de las funciones file_get_contents() y file_put_contents(). Esto es explotable en sitios que usan el modo de depuración con Laravel versiones anteriores a 8.4.2
Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents().
CVSS Scores
SSVC
- Decision:Act
Timeline
- 2021-01-12 CVE Reserved
- 2021-01-12 CVE Published
- 2021-01-14 First Exploit
- 2023-09-18 Exploited in Wild
- 2023-10-09 KEV Due Date
- 2025-02-04 CVE Updated
- 2025-03-18 EPSS Updated
CWE
CAPEC
References (37)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/facade/ignition/pull/334 | 2022-02-22 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Facade Search vendor "Facade" | Ignition Search vendor "Facade" for product "Ignition" | < 2.5.2 Search vendor "Facade" for product "Ignition" and version " < 2.5.2" | laravel |
Affected
| in | Laravel Search vendor "Laravel" | Laravel Search vendor "Laravel" for product "Laravel" | < 8.4.2 Search vendor "Laravel" for product "Laravel" and version " < 8.4.2" | - |
Safe
|