CVE-2017-16894 : In Laravel framework through 5.5.21, remote attackers can obtain sensitive infor

In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.

Published 2017-11-20 01:29:00

Updated 2018-03-09 02:29:01

Source MITRE

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2017-16894

Laravel » Laravel
Versions up to, including, (<=) 5.5.21
cpe:2.3:a:laravel:laravel:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2017-16894

EPSS FAQ

86.10%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 99 %

Percentile, the proportion of vulnerabilities that are scored at or less

Metasploit modules for CVE-2017-16894

PHP Laravel Framework token Unserialize Remote Command Execution

Disclosure Date: 2018-08-07

First seen: 2020-04-26

exploit/unix/http/laravel_token_unserialize_exec

This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption

More information

CVSS scores for CVE-2017-16894

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2017-16894

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-16894

https://twitter.com/finnwea/status/967709791442341888

Tijme Gommers on Twitter: "Many Laravel applications expose their database, AWS & mail credentials due to misconfigurations 😅 (credits to someone on a private Slack channel). https://t.co/1u0NCjfIrg…
http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html

PHP Laravel Framework Token Unserialize Remote Command Execution ≈ Packet Storm

CVEs referencing this url
http://whiteboyz.xyz/laravel-env-file-vuln.html

White Boyz -
Third Party Advisory

Jump to