mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-05-29 01:31:20 +00:00
369 lines
16 KiB
JSON
369 lines
16 KiB
JSON
{
|
|
"id": "CVE-2021-21979",
|
|
"sourceIdentifier": "security@vmware.com",
|
|
"published": "2021-03-03T17:15:12.270",
|
|
"lastModified": "2022-05-03T16:04:40.443",
|
|
"vulnStatus": "Analyzed",
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "En Bitnami Containers, todas las versiones de contenedores de Laravel anteriores a: 6.20.0-debian-10-r107 para Laravel 6, 7.30.1-debian-10-r108 para Laravel 7 y 8.5.11-debian-10-r0 para Laravel 8, el archivo /tmp/app/.env es generado en el momento en que se cre\u00f3 la imagen de docker bitnami/laravel, y el valor de APP_KEY es corregida bajo determinadas condiciones. Este valor es crucial para la seguridad de la aplicaci\u00f3n y debe generarse aleatoriamente por la instalaci\u00f3n de Laravel. Si la clave de cifrado de su aplicaci\u00f3n est\u00e1 en manos de una parte maliciosa, esa parte podr\u00eda dise\u00f1ar valores de cookies usando la clave de cifrado y explotar las vulnerabilidades inherentes a una serializaci\u00f3n y deserializaci\u00f3n de objetos PHP, como llamar a m\u00e9todos de clase arbitrarios dentro de su aplicaci\u00f3n"
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "NONE",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "LOW",
|
|
"integrityImpact": "LOW",
|
|
"availabilityImpact": "LOW",
|
|
"baseScore": 7.3,
|
|
"baseSeverity": "HIGH"
|
|
},
|
|
"exploitabilityScore": 3.9,
|
|
"impactScore": 3.4
|
|
}
|
|
],
|
|
"cvssMetricV2": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "2.0",
|
|
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
"accessVector": "NETWORK",
|
|
"accessComplexity": "LOW",
|
|
"authentication": "NONE",
|
|
"confidentialityImpact": "PARTIAL",
|
|
"integrityImpact": "PARTIAL",
|
|
"availabilityImpact": "PARTIAL",
|
|
"baseScore": 7.5
|
|
},
|
|
"baseSeverity": "HIGH",
|
|
"exploitabilityScore": 10.0,
|
|
"impactScore": 6.4,
|
|
"acInsufInfo": false,
|
|
"obtainAllPrivilege": false,
|
|
"obtainUserPrivilege": false,
|
|
"obtainOtherPrivilege": false,
|
|
"userInteractionRequired": false
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-798"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.0.2-debian-9-r0",
|
|
"versionEndIncluding": "6.0.2-debian-9-r22",
|
|
"matchCriteriaId": "1C7CED2A-9A85-419B-ADFE-F6AE73E1555B"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.4.0-debian-9-r0",
|
|
"versionEndIncluding": "6.4.0-debian-9-r31",
|
|
"matchCriteriaId": "FCB1050D-3846-4787-8A7B-43A308E5C21A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.5.2-debian-9-r0",
|
|
"versionEndIncluding": "6.5.2-debian-9-r20",
|
|
"matchCriteriaId": "3E7032B5-FF3E-45D7-8F77-E678D93E7278"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.8.0-debian-9-r0",
|
|
"versionEndIncluding": "6.8.0-debian-9-r26",
|
|
"matchCriteriaId": "243D681C-4017-49CB-8059-EA8BE15A6056"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.12.0-debian-9-r0",
|
|
"versionEndIncluding": "6.12.0-debian-10-r33",
|
|
"matchCriteriaId": "04949BF0-3329-411A-9DCC-44143ADEF25B"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.18.0-debian-10-r0",
|
|
"versionEndIncluding": "6.18.0-debian-10-r21",
|
|
"matchCriteriaId": "CF1507FE-A93F-44E5-BB60-C88CD49EEA4E"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.18.3-debian-10-r0",
|
|
"versionEndIncluding": "6.18.3-debian-10-r22",
|
|
"matchCriteriaId": "4262A5D9-7BBD-4782-9260-486124D4A800"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.18.8-debian-10-r0",
|
|
"versionEndIncluding": "6.18.8-debian-10-r110",
|
|
"matchCriteriaId": "4EA20993-0FF6-498D-90E0-9D48ECCE1E34"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.18.35-debian-10-r0",
|
|
"versionEndIncluding": "6.18.35-debian-10-r66",
|
|
"matchCriteriaId": "01035E72-A4B1-4B66-AEBA-680D7D81B8D5"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "6.20.0-debian-10-r0",
|
|
"versionEndExcluding": "6.20.0-debian-10-r107",
|
|
"matchCriteriaId": "635AE898-5216-4F6D-8908-ADAD2053318F"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "7.0.0-debian-10-r0",
|
|
"versionEndIncluding": "7.0.0-debian-10-r7",
|
|
"matchCriteriaId": "C5BC1638-AFC3-49BB-9888-D04E5EDD4106"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "7.3.0-debian-10-r0",
|
|
"versionEndIncluding": "7.3.0-debian-10-r20",
|
|
"matchCriteriaId": "25B5235E-27DF-4032-94B7-ACD6CFA6F9B8"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "7.6.0-debian-10-r0",
|
|
"versionEndIncluding": "7.6.0-debian-10-r38",
|
|
"matchCriteriaId": "B086553E-7236-4783-8C90-D876B35E1066"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "7.12.0-debian-10-r0",
|
|
"versionEndIncluding": "7.12.0-debian-10-r72",
|
|
"matchCriteriaId": "BDFC7B0A-2D11-43AC-8493-2834C99049CB"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "7.25.0-debian-10-r0",
|
|
"versionEndIncluding": "7.25.0-debian-10-r16",
|
|
"matchCriteriaId": "5FBFEC8E-B9EC-45CF-870E-9EED6ECFC74C"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "7.28.0-debian-10-r0",
|
|
"versionEndIncluding": "7.28.0-debian-10-r50",
|
|
"matchCriteriaId": "DC7AA5BC-9842-4C73-96E7-F819467B7ADB"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "7.30.1-debian-10-r0",
|
|
"versionEndExcluding": "7.30.1-debian-10-r108",
|
|
"matchCriteriaId": "AB4F98CC-3DE0-4D18-896A-13CFC35256EA"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.0.1-debian-10-r0",
|
|
"versionEndIncluding": "8.0.1-debian-10-r7",
|
|
"matchCriteriaId": "6B1F16C0-2044-4B62-9B19-43BBC2A47E23"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.0.3-debian-10-r0",
|
|
"versionEndIncluding": "8.0.3-debian-10-r18",
|
|
"matchCriteriaId": "EE8EB91F-033E-4479-8A36-F72FCC8F5DBE"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.1.0-debian-10-r0",
|
|
"versionEndIncluding": "8.1.0-debian-10-r7",
|
|
"matchCriteriaId": "7853E367-D088-4879-AB1A-80ADC8C2184B"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.2.0-debian-10-r0",
|
|
"versionEndIncluding": "8.2.0-debian-10-r8",
|
|
"matchCriteriaId": "BA18569B-C219-4455-BF4C-46E414CE5432"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.4.0-debian-10-r0",
|
|
"versionEndIncluding": "8.4.0-debian-10-r10",
|
|
"matchCriteriaId": "50931BC5-469F-48AD-82C1-DF6E3354B2CF"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.4.1-debian-10-r0",
|
|
"versionEndIncluding": "8.4.1-debian-10-r6",
|
|
"matchCriteriaId": "05D61B80-5874-440B-BD47-1FFA37A595C9"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.4.2-debian-10-r0",
|
|
"versionEndIncluding": "8.4.2-debian-10-r4",
|
|
"matchCriteriaId": "E1D840C7-6F4A-4BA9-9C3C-5499991051B1"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.4.3-debian-10-r0",
|
|
"versionEndIncluding": "8.4.3-debian-10-r6",
|
|
"matchCriteriaId": "A2CB8B4A-7676-486B-8D04-F10A5FCA864D"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.4.4-debian-10-r0",
|
|
"versionEndIncluding": "8.4.4-debian-10-r6",
|
|
"matchCriteriaId": "9A8F496F-5FFA-4CCD-8DE9-A7750E2C93B7"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.5.5-debian-10-r0",
|
|
"versionEndIncluding": "8.5.5-debian-10-r11",
|
|
"matchCriteriaId": "AF0E5F60-33C6-42FB-8046-5F11904E1042"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.5.6-debian-10-r0",
|
|
"versionEndIncluding": "8.5.6-debian-10-r13",
|
|
"matchCriteriaId": "096D7491-1E6D-4879-865C-1188D4DDBB28"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.5.7-debian-10-r0",
|
|
"versionEndIncluding": "8.5.7-debian-10-r6",
|
|
"matchCriteriaId": "EA7227A6-F123-403C-BD15-3EB2189505FD"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.5.8-debian-10-r0",
|
|
"versionEndIncluding": "8.5.8-debian-10-r5",
|
|
"matchCriteriaId": "4BBC7AAA-1BB2-4B13-BF9F-AB4DC4AAE972"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.5.9-debian-10-r0",
|
|
"versionEndIncluding": "8.5.9-debian-10-r25",
|
|
"matchCriteriaId": "9B55A310-5C1C-4DA3-B618-146DA68B6F57"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
|
|
"versionStartIncluding": "8.5.10-debian-10-r0",
|
|
"versionEndIncluding": "8.5.10-debian-10-r6",
|
|
"matchCriteriaId": "2AC8F0ED-0AAF-48D8-9A43-6AB3D70AB991"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:6.19.0-debian-10-r0:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "0441223A-AF20-402D-9953-2DB29FF07232"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:7.29.0-debian-10-r0:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "12D9A722-790F-4244-9209-19D61723AA89"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:7.30.0-debian-10-r0:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "888EAFDD-8BC1-4C92-9AD8-6302D72A3674"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:8.3.0-debian-10-r0:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "640CB6F5-F58D-402D-8F11-786145B2F920"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:8.5.2-debian-10-r0:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "A34EA38A-F55A-4448-9D2D-A89D816866EC"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:8.5.2-debian-10-r1:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "66151425-8125-4C52-9320-7C471A072436"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:8.5.3-debian-10-r0:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "588EB5F3-7A30-4DD9-976E-5A00B151B48A"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:8.5.4-debian-10-r0:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "849C9414-78C1-412C-91F3-43D3D3814FAD"
|
|
},
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:bitnami:containers:8.5.4-debian-10-r1:*:*:*:*:laravel:*:*",
|
|
"matchCriteriaId": "1D9B42D4-4856-400D-9590-7EC976A915E5"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://github.com/bitnami/bitnami-docker-laravel/issues/139",
|
|
"source": "security@vmware.com",
|
|
"tags": [
|
|
"Exploit",
|
|
"Third Party Advisory"
|
|
]
|
|
}
|
|
]
|
|
} |