Remote Code Execution (RCE) Affecting facade/ignition package, versions >=2.5.0, <2.5.2>=2.0.0, <2.4.2<1.16.14


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
97.43% (100th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PHP-FACADEIGNITION-1059267
  • published13 Jan 2021
  • disclosed13 Jan 2021
  • creditUnknown

Introduced: 13 Jan 2021

CVE-2021-3129  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade facade/ignition to version 2.5.2, 2.4.2, 1.16.14 or higher.

Overview

facade/ignition is an error page for Laravel apps.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to an insecure usage of file_get_contents() and file_put_contents().

Note: This is only exploitable on sites using debug mode with Laravel before 8.4.2.

CVSS Scores

version 3.1