Candidate: CVE-2021-43617
PublicDate: 2021-11-14 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43617
 https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b
 https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6
 https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1331-L1333
 https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083a667fd8
Description:
 Laravel Framework through 8.70.2 does not sufficiently block the upload of
 executable PHP content because
 Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for
 .phar files, which are handled as application/x-httpd-php on systems based
 on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated
 to any reports concerning incorrectly written user applications for image
 upload.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_php-laravel-framework:
upstream_php-laravel-framework: needs-triage
trusty_php-laravel-framework: ignored (out of standard support)
xenial_php-laravel-framework: ignored (out of standard support)
hirsute_php-laravel-framework: ignored (reached end-of-life)