CVE-2017-16894 (Medium) detected in laravel/framework-v5.5.49

[mend-bolt-for-github]

CVE-2017-16894 - Medium Severity Vulnerability

Vulnerable Library - laravel/framework-v5.5.49

The Laravel Framework.

Library home page: https://api.github.com/repos/laravel/framework/zipball/a81f23d0ccd2fefa7fa9b79649ab23811631d9bf

Dependency Hierarchy:

• orchestra/testbench-v3.5.5 (Root Library)
  • ❌ laravel/framework-v5.5.49 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.

Publish Date: 2017-11-20

URL: CVE-2017-16894

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html

Release Date: 2017-11-20

Fix Resolution: 5.6.30

---

Step up your Open Source Security Game with Mend here