CVE-2021-3129
published 2021-01-12CVE-2021-3129: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-10-09
Exploited in the wild
EPSS
99.94%
100.0th percentile
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| facade | ignition | < 2.5.2 | 2.5.2 |
| facade | ignition | >= 0 < 1.6.15 | 1.6.15 |
| facade | ignition | >= 1.7.0 < 1.16.14 | 1.16.14 |
| facade | ignition | >= 2.0.0 < 2.4.2 | 2.4.2 |
| facade | ignition | >= 2.5.0 < 2.5.2 | 2.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests targeting the /_ignition/execute-solution endpoint, especially with base64-encoded payloads in the request body, as this is the attack vector for CVE-2021-3129 exploitation. ↗
- →CVE-2021-3129 is actively exploited by the RUBYCARP botnet to gain initial access to Laravel applications; look for shellbot (Perl-based) payloads connecting to IRC-based C2 channels post-exploitation. ↗
- →CVE-2021-3129 is included in the Necro Python bot's exploit arsenal; watch for Necro bot spreading activity (IRC C2, XMRig miner installation, .bootstrap.sh dropper script) following Laravel exploitation. ↗
- →Stolen credentials from systems vulnerable to CVE-2021-3129 have been traced to LLM jacking campaigns; monitor for unexpected InvokeModel API calls or ValidationException errors with max_tokens_to_sample set to -1 after a Laravel compromise. ↗
- →Use GreyNoise to identify IPs opportunistically scanning for or exploiting CVE-2021-3129 at scale to prioritize patching and block mass-exploitation sources. ↗
- ·The vulnerability is only exploitable when Laravel debug mode is enabled in production; sites running Laravel >= 8.4.2 or Ignition >= 2.5.2 are not affected. ↗
- ·The exploit abuses insecure usage of file_get_contents() and file_put_contents() in Ignition; detection rules should account for these PHP file operation calls being triggered via the debug route. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unauthenticated remote code execution in Ignition
ghsa·2021-03-29
CVE-2021-3129 [CRITICAL] CWE-94 Unauthenticated remote code execution in Ignition
Unauthenticated remote code execution in Ignition
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
OSV
Unauthenticated remote code execution in Ignition
osv·2021-03-29
CVE-2021-3129 [CRITICAL] Unauthenticated remote code execution in Ignition
Unauthenticated remote code execution in Ignition
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
VulnCheck
Laravel Ignition File Upload Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-3129 [CRITICAL] Laravel Ignition File Upload Vulnerability
Laravel Ignition File Upload Vulnerability
Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents().
Affected: Laravel Ignition
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/; https://blogs.juniper.net/en-us/threat-research/sysrv-botnet-expands-and-gains-persistence; https://www.bleepingcomputer.com/news/security/new-cryptomining-malware-builds-an-army-of-windows-linux-bots/; https://blog.talosintellige
CISA
Laravel Ignition File Upload Vulnerability
cisa·2023-09-18·CVSS 9.8
CVE-2021-3129 [CRITICAL] Laravel Ignition File Upload Vulnerability
Vulnerability: Laravel Ignition File Upload Vulnerability
Affected: Laravel Ignition
Laravel Ignition contains a file upload vulnerability that allows unauthenticated remote attackers to execute malicious code due to insecure usage of file_get_contents() and file_put_contents().
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/facade/ignition/releases/tag/2.5.2; https://nvd.nist.gov/vuln/detail/CVE-2021-3129
Remediation Due Date: 2023-10-09
Suricata
ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs
suricata·2021-06-03·CVSS 9.8
CVE-2021-3129 [CRITICAL] ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs
ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin;
Suricata
ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs
suricata·2021-06-03·CVSS 9.8
CVE-2021-3129 [CRITICAL] ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs
ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Attempt to clear logs"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|php|3a 2f 2f|filter|2f|read|3d|consumed|2f|resource|3d|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/lar
Suricata
ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt
suricata·2021-06-03·CVSS 9.8
CVE-2021-3129 [CRITICAL] ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt
ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Inbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:cve,2021-3129; classtype:attempted-admin; sid:2033080; rev:1; metadata:affe
Suricata
ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt
suricata·2021-06-03·CVSS 9.8
CVE-2021-3129 [CRITICAL] ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt
ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt
Rule: alert http $HOME_NET any -> any any (msg:"ET EXPLOIT Laravel Remote Code Execution (CVE-2021-3129) Outbound - Payload Execution Attempt"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/_ignition/execute-solution/"; startswith; fast_pattern; http.request_body; content:"|22|solution|22 3a 20 22|Facade|5c 5c|Ignition|5c 5c|Solutions|5c 5c|MakeViewVariableOptionalSolution|22|"; content:"|22|viewFile|22 3a 20 22|phar|3a 2f 2f|"; reference:url,blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html; reference:url,www.ambionics.io/blog/laravel-debug-rce; reference:url,github.com/ambionics/laravel-exploits/blob/main/laravel-ignition-rce.py; reference:c
Exploit-DB
Laravel 8.4.2 debug mode - Remote code execution
exploitdb·2021-01-14
CVE-2021-3129 Laravel 8.4.2 debug mode - Remote code execution
Laravel 8.4.2 debug mode - Remote code execution
---
# Exploit Title: Laravel 8.4.2 debug mode - Remote code execution
# Date: 1.14.2021
# Exploit Author: SunCSR Team
# Vendor Homepage: https://laravel.com/
# References:
# https://www.ambionics.io/blog/laravel-debug-rce
# https://viblo.asia/p/6J3ZgN8PKmB
# Version: payload.txt'''%(command))
payload = ''
with open('payload.txt', 'r') as fp:
payload = fp.read()
payload = payload.replace('==', '=3D=')
for i in range(padding):
payload += '=00'
os.system('rm -rf payload.txt')
return payload
def main():
if len(sys.argv) < 4:
print('Usage: %s url path-log command\n'%(sys.argv[0]))
print('\tEx: %s http(s)://pwnme.me:8000 /var/www/html/laravel/storage/logs/laravel.log \'id\''%(sys.argv[0]))
exit(1)
if not os.path.isfile('./phpggc/phpggc'):
pr
Metasploit
Unauthenticated remote code execution in Ignition
metasploit
Unauthenticated remote code execution in Ignition
Unauthenticated remote code execution in Ignition
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Nuclei
Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-3129 [CRITICAL] Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
Template:
id: CVE-2021-3129
info:
name: Laravel with Ignition <= v8.4.2 Debug Mode - Remote Code Execution
author: z3bd,pdteam
severity: critical
description: Laravel version 8.4.2 and before with Ignition before 2.5.2 allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
impact: |
Successful exp
CTF
Web-DaaS / README
ctf_writeups·2021·CVSS 9.8
CVE-2021-3129 [CRITICAL] Web-DaaS / README
# CTF HackTheBox 2021 Cyber Apocalypse 2021 - DaaS
Category: Web, Points: 300
# DaaS Solution
Let's start the docker and browse it:
So we can see it's Laravel v8.35.1.
At this version we know about the CVE-2021-3129, We can found exploit at this link [https://github.com/ambionics/laravel-exploits](https://github.com/ambionics/laravel-exploits), Let's try to use it:
```console
┌─[evyatar@parrot]─[/ctf_htb/cyber_apocalypse/web/daas]
└──╼ $ git clone https://github.com/ambionics/laravel-exploits.git
┌─[evyatar@parrot]─[/ctf_htb/cyber_apocalypse/web/daas]
└──╼ $ cd laravel-exploits
┌─[evyatar@parrot]─[/ctf_htb/cyber_apocalypse/web/daas]
└──╼ $ git clone https://github.com/ambionics/phpggc.git
```
Now, Let's build the phar file contains our payload:
```console
┌─[evyatar@parrot]─[/ctf_
CTF
medium / README
ctf_writeups·CVSS 9.1
[CRITICAL] medium / README
---
layout: default
title: Medium Machines
parent: Machines
nav_order: 2
description: "112+ Medium HTB machine writeups with walkthroughs"
permalink: /machines/medium/
---
# HackTheBox - Medium Machines
> Comprehensive index of retired HTB Medium-difficulty machines with key techniques and attack path summaries.
**Total: 100+ machines** | Sorted roughly by retirement date (newest first)
---
## Machine Index
| # | Machine | OS | Key Techniques | Attack Path Summary | Writeup |
|---|---------|-----|----------------|---------------------|---------|
| 1 | Signed | Linux | Code Signing Bypass, Certificate Abuse | Forge code signature to deploy malicious update, escalate via trusted binary execution | [0xdf](https://0xdf.gitlab.io/2026/02/07/htb-signed.html) |
| 2 | Voleur | Linux | Data E
CTF
Horizontall / README
ctf_writeups
Horizontall / README
# Horizontall
> Write-up author: jon-brandy
## Lesson learned:
- Generating ssh-keygen to get a stable shell at the remote server.
- Port forwarding from remote server to local server.
- Exploiting Laravel 8.4.2
## STEPS:
> PORT SCANNING
```
┌──(brandy㉿bread-yolk)-[~]
└─$ nmap -p- -sVC 10.10.11.105 --min-rate 1000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-14 04:24 PDT
Nmap scan report for 10.10.11.105
Host is up (0.031s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ee774143d482bd3e6e6e50cdff6b0dd5 (RSA)
| 256 3ad589d5da9559d9df016837cad510b0 (ECDSA)
|_ 256 4a0004b49d29e7af37161b4f802d9894 (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_h
CTF
Horizontall / README
ctf_writeups·CVSS 9.8
CVE-2019-18818 [CRITICAL] Horizontall / README
# Horizontall - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we begin by enumerating open services using ```namp``` – finding ports ```22``` and ```80```.
***User***: Found subdomain ```api-prod``` on one of the JavaScript files, By enumerating the subdomain we found login page of ```Strapi``` system, Reset the ```admin``` password using ```CVE-2019-18818``` and using the same exploit we write our SSH public key to ```/opt/strapi/.ssh/authorized_keys``` directory which allows us to login using our SSH private key to get a shell as ```strapi``` user.
***Root***: Found local service on port ```8000``` (running as ```root```) which is```Laravel``` system, Using ```CVE-2021-3129``` we write our SSH public key to ```/root/.ssh/authorized_keys
Qualys
Inside the Surge of PHP and IoT Exploits with Qualys TRU | Qualys
blogs_qualys·2025-10-30·CVSS 10.0
CVE-2022-22947 [CRITICAL] Inside the Surge of PHP and IoT Exploits with Qualys TRU | Qualys
#### Table of Contents
- PHP Servers Are the Top Target for Vulnerabilities and Misconfigurations
- PHP Exploitation Trends and Noteworthy CVEs
- The Dangers of Exposed Secrets and Credentials
- IOT Devices Remain a Weak Link in Security
- MVPower DVR Shell Unauthenticated Command Execution
- Cloud Vulnerabilities: CVE-2022-22947
- Threat Actors Exploit Cloud Resources for Reconnaissance
- 5 Best Practices to Reduce Exploitation Risk
- Building Resilience with Integrated Security
Attack automation is accelerating, widening the window between detection and response. Qualys TRU telemetry reveals how these attacks unfold and what defenders can do next.
The Qualys Threat Research Unit (TRU) has identified a sharp increase in attacks targeting PHP servers, IoT devices, and cloud gateways, pr
Qualys
What Security Teams Need to Know as PHP and IoT Exploits Surge
blogs_qualys·2025-10-30·CVSS 10.0
CVE-2022-22947 [CRITICAL] What Security Teams Need to Know as PHP and IoT Exploits Surge
## Table of Contents
PHP Servers Are the Top Target for Vulnerabilities and Misconfigurations
PHP Exploitation Trends and Noteworthy CVEs
The Dangers of Exposed Secrets and Credentials
IOT Devices Remain a Weak Link in Security
MVPower DVR Shell Unauthenticated Command Execution
Cloud Vulnerabilities: CVE-2022-22947
Threat Actors Exploit Cloud Resources for Reconnaissance
5 Best Practices to Reduce Exploitation Risk
Building Resilience with Integrated Security
Attack automation is accelerating, widening the window between detection and response. Qualys TRU telemetry reveals how these attacks unfold and what defenders can do next.
The Qualys Threat Research Unit (TRU) has identified a sharp increase in attacks targeting PHP servers, IoT devices, and cloud gateways, primarily driv
Wiz
What is LLM Jacking? | Wiz
blogs_wiz·2024-08-05
What is LLM Jacking? | Wiz
## What is LLM Jacking?
LLM jacking is an attack technique that cybercriminals use to manipulate and exploit an enterprise’s cloud-based LLMs (large language models). LLM jacking involves stealing and selling cloud account credentials to enable malicious access to an enterprise’s LLMs while the victim unknowingly covers the consumption costs.
Our research shows that 7 out of 10 businesses leverage artificial intelligence (AI) services, including generative AI (GenAI) offerings from cloud providers including Amazon Bedrock and SageMaker, Google Vertex AI, and Azure OpenAI Service. These services provide developers access to LLM models like Claude, Jurassic-2, the GPT series, DALL-E, OpenAI Codex, Amazon Titan, and Stable Diffusion. By selling access to LLM models, cybercriminals can start
Wiz
What is LLM Jacking? | Wiz
blogs_wiz·2024-08-05
What is LLM Jacking? | Wiz
## What is LLM Jacking?
LLM jacking is an attack technique that cybercriminals use to manipulate and exploit an enterprise’s cloud-based LLMs (large language models). LLM jacking involves stealing and selling cloud account credentials to enable malicious access to an enterprise’s LLMs while the victim unknowingly covers the consumption costs.
Our research shows that 7 out of 10 businesses leverage artificial intelligence (AI) services, including generative AI (GenAI) offerings from cloud providers including Amazon Bedrock and SageMaker , Google Vertex AI, and Azure OpenAI Service. These services provide developers access to LLM models like Claude, Jurassic-2, the GPT series, DALL-E, OpenAI Codex, Amazon Titan, and Stable Diffusion. By selling access to LLM models, cybercriminals can star
Bleepingcomputer
RUBYCARP hackers linked to 10-year-old cryptomining botnet
blogs_bleepingcomputer·2024-04-09·CVSS 9.8
[CRITICAL] RUBYCARP hackers linked to 10-year-old cryptomining botnet
## RUBYCARP hackers linked to 10-year-old cryptomining botnet
## Bill Toulas
A Romanian botnet group named 'RUBYCARP' is leveraging known vulnerabilities and performing brute force attacks to breach corporate networks and compromise servers for financial gain.
According to a new report by Sysdig, RUBYCARP currently operates a botnet managed via private IRC channels comprising over 600 compromised servers.
Sysdig has found 39 variants of the RUBYCARP botnet's Perl-based payload (shellbot), with only eight appearing on VirusTotal, illustrating low detection rates for the activity.
"The Sysdig Threat Research Team (Sysdig TRT) recently discovered a long-running botnet operated by a Romanian threat actor group, which we are calling RUBYCARP," explains the researchers.
"Evidence suggests
Talos
Necro Python bot adds new exploits and Tezos mining to its bag of tricks
blogs_talos·2021-06-03
Necro Python bot adds new exploits and Tezos mining to its bag of tricks
By Vanja Svajcer, with contributions from Caitlin Huey and Kendall McKay.
### News summary
- Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of infecting vulnerable systems. The bot contains exploits for more than 10 different web applications and the SMB protocol.
- Cisco Talos recently discovered the increased activity of the bot discovered in January 2021 in Cisco Secure Endpoint product telemetry, although the bot has been in development since 2015, according to its author.
- This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Exploit Public-Facing Application T1190, Scripting - T1064, Powe
Greynoiseio
GreyNoise Use Cases: SOC Efficiency, Compromised Devices, Emerging Vulnerabilities
blogs_greynoiseio
GreyNoise Use Cases: SOC Efficiency, Compromised Devices, Emerging Vulnerabilities
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
HackerOne
Information disclosure due to debug mode enabled at Laravel instance https://mpos.mtn.co.sz/
hackerone·2025-02-23·CVSS 9.8
CVE-2021-3129 [CRITICAL] Information disclosure due to debug mode enabled at Laravel instance https://mpos.mtn.co.sz/
Information disclosure due to debug mode enabled at Laravel instance https://mpos.mtn.co.sz/
## Summary:
CVE-2021-3129 is a Remote Code Execution vulnerability in the Laravel framework which takes advantage of unsafe usage of PHP. This vulnerability and the steps to exploit it follow a similar path to a classic log poisoning attack. In typical log poisoning, the attacker needs to exploit a local file inclusion first in order to achieve remote code execution, while in the Laravel framework, we need the Ignition module (Ignition is a page for displaying an error) and a specific chain to trigger this vulnerability. This security issue is relatively easy to exploit and does not require user authentication which is one of the reasons why it has a 9.8 CVSSv3 score.
{F3661989}
In Laravel igni
http://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.htmlhttps://github.com/facade/ignition/pull/334https://www.ambionics.io/blog/laravel-debug-rcehttp://packetstormsecurity.com/files/162094/Ignition-2.5.1-Remote-Code-Execution.htmlhttp://packetstormsecurity.com/files/165999/Ignition-Remote-Code-Execution.htmlhttps://github.com/facade/ignition/pull/334https://www.ambionics.io/blog/laravel-debug-rcehttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3129
2021-01-12
Published
2023-09-18
Added to CISA KEV
Exploited in the wild