CVE-2021-43996
published 2021-11-17CVE-2021-43996: The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control.
PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.67%
73.9th percentile
The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| facade | ignition | < 1.6.15 | 1.6.15 |
| facade | ignition | >= 0 < 1.16.15 | 1.16.15 |
| facade | ignition | >= 1.0.0 < 1.16.15 | 1.16.15 |
| facade | ignition | >= 2.0.0 < 2.0.5 | 2.0.5 |
| facade | ignition | >= 2.0.0 < 2.0.6 | 2.0.6 |
| facade | ignition | >= 2.0.0 < 2.0.5 | 2.0.5 |
| facade | ignition | >= 2.0.0 < 2.0.6 | 2.0.6 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incorrect Access Control in Ignition
osv·2021-11-19
CVE-2021-43996 [CRITICAL] Incorrect Access Control in Ignition
Incorrect Access Control in Ignition
The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control.
GHSA
Incorrect Access Control in Ignition
ghsa·2021-11-19
CVE-2021-43996 [CRITICAL] CWE-284 Incorrect Access Control in Ignition
Incorrect Access Control in Ignition
The Ignition component before 1.16.15, and 2.0.x before 2.0.6, for Laravel has a "fix variable names" feature that can lead to incorrect access control.
OSV
Critical severity vulnerability in Ignition
osv·2021-10-12·CVSS 9.8
CVE-2020-13909 [CRITICAL] Critical severity vulnerability in Ignition
Critical severity vulnerability in Ignition
The Ignition page before version 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env.
NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix.
GHSA
Critical severity vulnerability in Ignition
ghsa·2021-10-12·CVSS 9.8
CVE-2020-13909 [CRITICAL] Critical severity vulnerability in Ignition
Critical severity vulnerability in Ignition
The Ignition page before version 2.0.5 for Laravel mishandles globals, _get, _post, _cookie, and _env.
NOTE: in the 1.x series, versions 1.16.15 and later are unaffected as a consequence of the CVE-2021-43996 fix.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/facade/ignition/compare/1.16.14...1.16.15https://github.com/facade/ignition/compare/2.0.5...2.0.6https://github.com/facade/ignition/pull/285https://github.com/facade/ignition/compare/1.16.14...1.16.15https://github.com/facade/ignition/compare/2.0.5...2.0.6https://github.com/facade/ignition/pull/285
2021-11-17
Published