I. Overview

A security team has officially released a security notice about the remote code execution vulnerability (CVE-2021-3129) in Laravel before 8.4.3. Laravel is a free open-source PHP web framework. Ignition before 2.5.2, as used in Laravel before 8.4.3, has a vulnerability that allows unauthenticated remote attackers to execute arbitrary code on sites using debug mode. Details about the vulnerability exploits have been disclosed.

If you are a Laravel user, check your Laravel and Ignition versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://www.ambionics.io/blog/laravel-debug-rce?spm=a2c4g.11174386.n2.4.7e0d10515RCoXc

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Laravel before 8.4.3

Facade Ignition before 2.5.2

Secure versions:

Laravel 8.4.3 and later

Facade Ignition 2.5.2 and later

IV. Vulnerability Handling

This vulnerability has been fixed in later official versions. If your service version falls into the affected range, upgrade it to a latest secure version.

https://github.com/laravel/laravel/releases

https://github.com/facade/ignition/releases

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.