The RCE type vulnerability with the ID CVE-2021-3129 and severity CVSS9.8 allows an unauthenticated attacker to remotely execute arbitrary code. This critical defect originates from the older versions of 2.5.2 Ignition, which is an Error page for the Laravel framework, and if the Debug mode is enabled on the framework, the attacker can easily exploit it. The image below shows a view of the vulnerable Error page when Debug mode is active.
How to identify the version of the framework used
- Through the CLI
$ php artisan –version
- By checking the file to the file address
In the corresponding laravel project
$ vim ./vendor/laravel/framework/src/Illuminate/Foundation/Application.php
Versions of Laravel lower than version 8.4.2 and versions of Ignition lower than version 2.5.2 are vulnerable. The latest security patch has been officially released. Admins are advised to upgrade their Laravel framework to version 8.4.3 or their Façade Ignition component to version higher than 2.5.2 as soon as possible. It is always recommended that Debug mode is disabled in production mode, but for the purpose of a temporary solution (until the security patch is installed), if debug mode is enabled, it is recommended to disable it.