Ambionics Security team Found a remote code execution vulnerability in the Laravel component. Vulnerability number is CVE-2021-3129.
Vulnerability Detail
The vulnerability is due to the fact that in debug mode, certain interfaces of Laravel’s built-in Ignition function do not strictly filter the input data, allowing attackers to use malicious log files to cause phar deserialization attacks, remote code execution, and finally obtain server permissions.
Affected version
- Laravel < 8.4.3
- Facade ignition < 2.5.2
Solution
Latest security patch has been released. It is recommended that affected users upgrade the Laravel framework
Working Exploit Script
https://github.com/ambionics/laravel-exploits