CVE-2021-3129 — Unauthenticated remote code execution in Ignition

Description

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

How to fix CVE-2021-3129

To remediate CVE-2021-3129, upgrade the affected package to a fixed version below.

—upgrade to 2.5.2 or later

Is CVE-2021-3129 being exploited?

Yes — CVE-2021-3129 is on the CISA Known Exploited Vulnerabilities (KEV) catalog. Patch immediately.

Affected packages (1)

>= 2.5.0, < 2.5.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3129
PATCHgithub.com/facade/ignition
WEBpacketstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.html
WEBpacketstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.html