Unauthenticated remote code execution in Ignition
Critical severity
GitHub Reviewed
Published
Mar 29, 2021
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Package
Affected versions
>= 2.5.0, < 2.5.2
>= 2.0.0, < 2.4.2
>= 1.7.0, < 1.16.14
< 1.6.15
Patched versions
2.5.2
2.4.2
1.16.14
1.6.15
Description
Published by the National Vulnerability Database
Jan 12, 2021
Reviewed
Mar 23, 2021
Published to the GitHub Advisory Database
Mar 29, 2021
Last updated
Feb 1, 2023
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
References