CVE-2021-21979

Severity CVSS v4.0:

Pending analysis

Type:

CWE-798 Use of Hard-coded Credentials

Publication date:

03/03/2021

Last modified:

03/05/2022

Description

In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application&#39;s encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS v3.1 Severity and Metrics:

Base Score: 7.30 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): Low
Integrity (I): Low
Availability (A): Low

Base Score 3.x

7.30

Severity 3.x

HIGH

Vector 2.0

AV:N/AC:L/Au:N/C:P/I:P/A:P CVSS v2.0 Severity and Metrics:

Base Score: 7.50 HIGH
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Attack Vector (AV): Network
Attack Complexity (AC): Low
Authentication (Au): None
Confidentiality (C): Physical
Integrity (I): Physical
Availability (A): Physical

Base Score 2.0

7.50

Severity 2.0

HIGH

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:a:bitnami:containers::::::laravel::*	6.0.2-debian-9-r0 (including)	6.0.2-debian-9-r22 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.4.0-debian-9-r0 (including)	6.4.0-debian-9-r31 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.5.2-debian-9-r0 (including)	6.5.2-debian-9-r20 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.8.0-debian-9-r0 (including)	6.8.0-debian-9-r26 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.12.0-debian-9-r0 (including)	6.12.0-debian-10-r33 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.18.0-debian-10-r0 (including)	6.18.0-debian-10-r21 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.18.3-debian-10-r0 (including)	6.18.3-debian-10-r22 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.18.8-debian-10-r0 (including)	6.18.8-debian-10-r110 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.18.35-debian-10-r0 (including)	6.18.35-debian-10-r66 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	6.20.0-debian-10-r0 (including)	6.20.0-debian-10-r107 (excluding)
cpe:2.3:a:bitnami:containers::::::laravel::*	7.0.0-debian-10-r0 (including)	7.0.0-debian-10-r7 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	7.3.0-debian-10-r0 (including)	7.3.0-debian-10-r20 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	7.6.0-debian-10-r0 (including)	7.6.0-debian-10-r38 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	7.12.0-debian-10-r0 (including)	7.12.0-debian-10-r72 (including)
cpe:2.3:a:bitnami:containers::::::laravel::*	7.25.0-debian-10-r0 (including)	7.25.0-debian-10-r16 (including)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://github.com/bitnami/bitnami-docker-laravel/issues/139