Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

facade/ignition-2.3.7: 3 vulnerabilities (highest severity is: 9.8) #12

Open
mend-for-github-com bot opened this issue Aug 13, 2022 · 0 comments
Open

facade/ignition-2.3.7: 3 vulnerabilities (highest severity is: 9.8) #12

mend-for-github-com bot opened this issue Aug 13, 2022 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Aug 13, 2022
edited
Loading

Vulnerable Library - facade/ignition-2.3.7

A beautiful error page for Laravel applications.

Library home page: https://api.github.com/repos/facade/ignition/zipball/b364db8860a63c1fb58b72b9718863c21df08762

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (facade/ignition version) Remediation Possible**
CVE-2021-3129 Critical 9.8 facade/ignition-2.3.7 Direct 2.5.2
CVE-2024-50345 Low 3.1 symfony/http-foundation-v5.1.5 Transitive N/A*
CVE-2024-51736 Low 0.0 symfony/process-v5.1.5 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-3129

Vulnerable Library - facade/ignition-2.3.7

A beautiful error page for Laravel applications.

Library home page: https://api.github.com/repos/facade/ignition/zipball/b364db8860a63c1fb58b72b9718863c21df08762

Dependency Hierarchy:

  • facade/ignition-2.3.7 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Publish Date: 2021-01-12

URL: CVE-2021-3129

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3129

Release Date: 2021-01-12

Fix Resolution: 2.5.2

CVE-2024-50345

Vulnerable Library - symfony/http-foundation-v5.1.5

Symfony HttpFoundation Component

Library home page: https://api.github.com/repos/symfony/http-foundation/zipball/41a4647f12870e9d41d9a7d72ff0614a27208558

Dependency Hierarchy:

  • facade/ignition-2.3.7 (Root Library)
    • facade/flare-client-php-1.3.5
      • symfony/http-foundation-v5.1.5 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The "Request" class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the "Request" class to redirect users to another domain. The "Request::create" methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-11-06

URL: CVE-2024-50345

CVSS 3 Score Details (3.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mrqx-rp3w-jpjp

Release Date: 2024-11-06

Fix Resolution: symfony/http-foundation - v5.4.46,v6.4.14,v7.1.7

CVE-2024-51736

Vulnerable Library - symfony/process-v5.1.5

Symfony Process Component

Library home page: https://api.github.com/repos/symfony/process/zipball/1864216226af21eb76d9477f691e7cbf198e0402

Dependency Hierarchy:

  • facade/ignition-2.3.7 (Root Library)
    • symfony/console-v5.1.5
      • symfony/process-v5.1.5 (Vulnerable Library)

Found in HEAD commit: c84aace76ec3ee3adbeb9350245a685969209ed1

Found in base branch: main

Vulnerability Details

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-11-06

URL: CVE-2024-51736

CVSS 3 Score Details (0.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-11-06

Fix Resolution: symfony/process - v5.4.46,v6.4.14,v7.1.7
@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Aug 13, 2022
@mend-for-github-com mend-for-github-com bot mentioned this issue Oct 31, 2024
Open
1 task
@mend-for-github-com mend-for-github-com bot changed the title facade/ignition-2.3.7: 1 vulnerabilities (highest severity is: 9.8) facade/ignition-2.3.7: 3 vulnerabilities (highest severity is: 9.8) Nov 7, 2024
@mend-for-github-com mend-for-github-com bot changed the title facade/ignition-2.3.7: 3 vulnerabilities (highest severity is: 9.8) facade/ignition-2.3.7: 4 vulnerabilities (highest severity is: 9.8) Dec 5, 2024
@mend-for-github-com mend-for-github-com bot changed the title facade/ignition-2.3.7: 4 vulnerabilities (highest severity is: 9.8) facade/ignition-2.3.7: 3 vulnerabilities (highest severity is: 9.8) Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants