Information Disclosure in Laravel Framework
CVE-2017-16894

7.5HIGH

Key Information:

Vendor

Laravel

Status
Laravel
Vendor
CVE Published:
20 November 2017

What is CVE-2017-16894?

In versions up to 5.5.21 of the Laravel framework, remote attackers can exploit a vulnerability that allows them to gain access to sensitive information stored in the application's environment file. This access can occur through a direct request targeting the /.env URI. The issue arises from the framework's 'writeNewEnvironmentFileWith' function, which utilizes the 'file_put_contents' method without proper restrictions on permissions. As a result, sensitive data such as passwords may be exposed, potentially leading to further security risks.

References

https://twitter.com/finnwea/status/967709791442341888
x_refsource_MISC
http://whiteboyz.xyz/laravel-env-file-vuln.html
x_refsource_MISC
http://packetstormsecurity.com/files/153641/PHP-Laravel-F...
x_refsource_MISC

EPSS Score

86% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2017-16894 : Information Disclosure in Laravel Framework