返回 CVE 浏览器

CVE-2021-3129

Known Exploited (CISA KEV)CRITICAL

9.8

CVSS Severity Score

EPSS Score94.0870%

EPSS Percentile98.22th

Published2021年1月12日

Last Modified2025年11月10日

Vulnerability Description

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Affected Platforms (CPE)

📦

Facade

Ignition

< 2.5.2

References & Advisories

🔗 http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html

🔗 http://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html

🔗 https://github.com/facade/ignition/pull/334

🔗 https://www.ambionics.io/blog/laravel-debug-rce

🔗 http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html

🔗 http://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html

🔗 https://github.com/facade/ignition/pull/334

🔗 https://www.ambionics.io/blog/laravel-debug-rce

相关漏洞威胁

CVE-2006-515110.0

Unspecified vulnerability in HP Ignite-UX server before C.6.9.150 for HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers ...

CVE-2020-139099.8

The Ignition component before 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env. NOTE: in the 1.x series, versi...

CVE-2019-183949.8

A Server Side Request Forgery (SSRF) vulnerability in FaviconServlet.java in Ignite Realtime Openfire through 4.4.2 allows attacke...

CVE-2021-439969.8

The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to inc...