CVE-2021-43617

high-risk

Published 2021-11-14

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. NOTE: this CVE Record is for Laravel Framework, and is unrelated to any reports concerning incorrectly written user applications for image upload.

Do I need to act?

52.8% chance of exploitation in next 30 days

EPSS score — higher than 47% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

50525

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Framework

Affected Vendors

Laravel

References (6)

Third Party Advisory https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961...

Patch https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a6...

Patch https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083...

Third Party Advisory https://github.com/laravel/framework/blob/2049de73aa099a113a287587df4cc522c90961...

Patch https://salsa.debian.org/php-team/php/-/blob/dc253886b5b2e9bc8d9e36db787abb083a6...

Patch https://salsa.debian.org/php-team/php/-/commit/dc253886b5b2e9bc8d9e36db787abb083...

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 18/34 · Moderate

Exposure 5/34 · Minimal