GHSA-364w-9g92-3grq

Опубликовано: 16 нояб. 2021

Источник: github

Github: Прошло ревью

Описание

Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content.

Withdrawn

This advisory has been withdrawn after the maintainers of Laravel noted this issue is not a security vulnerability with Laravel itself, but rather a userland issue.

Original CVE based description

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. In some use cases, this may be related to file-type validation for image upload (e.g., differences between getClientOriginalExtension and other approaches).

Ссылки

Пакеты

Наименование

laravel/framework

composer

Затронутые версииВерсия исправления

<= 8.70.2

Отсутствует

EPSS

Процентиль: 98%

0.4777

Средний

CVE ID

CVE-2021-43617

Дефекты

CWE-434

Связанные уязвимости

CVE-2021-43617

CVSS3: 9.8

ubuntu

больше 3 лет назад

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.

CVE-2021-43617

CVSS3: 9.8

nvd

больше 3 лет назад

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.