Skip to content

Withdrawn: Laravel Framework does not sufficiently block the upload of executable PHP content.

Moderate severity GitHub Reviewed Published Nov 16, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023
Withdrawn This advisory was withdrawn on Nov 17, 2021

Package

composer laravel/framework (Composer)

Affected versions

<= 8.70.2

Patched versions

None

Description

Withdrawn

This advisory has been withdrawn after the maintainers of Laravel noted this issue is not a security vulnerability with Laravel itself, but rather a userland issue.

Original CVE based description

Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. In some use cases, this may be related to file-type validation for image upload (e.g., differences between getClientOriginalExtension and other approaches).

References

Published by the National Vulnerability Database Nov 14, 2021
Reviewed Nov 15, 2021
Published to the GitHub Advisory Database Nov 16, 2021
Withdrawn Nov 17, 2021
Last updated Feb 1, 2023

Severity

Moderate

EPSS score

2.374%
(90th percentile)

Weaknesses

CVE ID

CVE-2021-43617

GHSA ID

GHSA-364w-9g92-3grq

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.