CVE-2021-43617
published 2021-11-14CVE-2021-43617: Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because…
PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
19.81%
97.1th percentile
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-laravel-framework | < php-laravel-framework 6.20.14+dfsg-3 (bookworm) | php-laravel-framework 6.20.14+dfsg-3 (bookworm) |
| laravel | framework | <= 8.70.2 | — |
| laravel | framework | 0 – 8.70.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag file uploads where the filename extension is .phar but the upload passes Laravel's image/file validation — these files are executed as PHP (application/x-httpd-php) on Debian-based systems and represent a bypass of the validator. ↗
- →Detect uploaded files that begin with the JPEG magic bytes FF D8 FF E0 but carry a .phar (or other executable) extension — this is the documented bypass technique to smuggle executable content past image-upload validation. ↗
- →Monitor web server logs for POST requests delivering files with a .phar extension to any upload endpoint, particularly on Debian-based hosts running Laravel ≤ 8.70.2. ↗
- ·The .phar execution risk is specific to Debian-based systems where the web server maps .phar to application/x-httpd-php; non-Debian deployments may not execute uploaded .phar files as PHP. ↗
- ·This CVE is scoped to the Laravel Framework's own validator (ValidatesAttributes.php) and is explicitly unrelated to bugs in user-written application code for image upload. ↗
- ·Debian package fixes are available: bookworm/bullseye/sid/trixie/forky all resolved in package version 6.20.14+dfsg-3 (or 6.20.14+dfsg-2+deb11u1 for bullseye); ensure the patched package is deployed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content.
ghsa·2021-11-16
CVE-2021-43617 [MEDIUM] CWE-434 Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content.
Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content.
# Withdrawn
This advisory has been withdrawn after the maintainers of Laravel noted this issue is not a security vulnerability with Laravel itself, but rather a userland issue.
## Original CVE based description
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. In some use cases, this may be related to file-type validation for image upload (e.g., differences between getClientOriginalExtension and other approaches).
OSV
CVE-2021-43617: Laravel Framework through 8
osv·2021-11-14·CVSS 9.8
CVE-2021-43617 [CRITICAL] CVE-2021-43617: Laravel Framework through 8
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Debian
CVE-2021-43617: php-laravel-framework - Laravel Framework through 8.70.2 does not sufficiently block the upload of execu...
vendor_debian·2021·CVSS 9.8
CVE-2021-43617 [CRITICAL] CVE-2021-43617: php-laravel-framework - Laravel Framework through 8.70.2 does not sufficiently block the upload of execu...
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.
Scope: local
bookworm: resolved (fixed in 6.20.14+dfsg-3)
bullseye: resolved (fixed in 6.20.14+dfsg-2+deb11u1)
forky: resolved (fixed in 6.20.14+dfsg-3)
sid: resolved (fixed in 6.20.14+dfsg-3)
trixie: resolved (fixed in 6.20.14+dfsg-3)
No detection rules found.
No writeups or analysis indexed.
https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1331-L1333https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083a667fd8https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961f5/src/Illuminate/Validation/Concerns/ValidatesAttributes.php#L1331-L1333https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a667fd8/debian/php-cgi.conf#L5-6https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083a667fd8
2021-11-14
Published