File Generation Flaw in Laravel Containers by Bitnami
CVE-2021-21979

7.3HIGH

Key Information:

Vendor: Bitnami
Status: Bitnami Containers
Vendor: CVE Published:; 3 March 2021

What is CVE-2021-21979?

A security flaw exists in Bitnami's Docker images for Laravel, where the application environment file, located at /tmp/app/.env, is generated with a fixed APP_KEY value during the image build process. This key is pivotal for encryption and should be unique for every installation. If compromised, it can enable attackers to create malicious cookie values and exploit serialization vulnerabilities in PHP, potentially allowing them to execute arbitrary methods within the application, thus compromising application integrity and sensitive data.

Affected Version(s)

Bitnami Containers All Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8

References

https://github.com/bitnami/bitnami-docker-laravel/issues/139

x_refsource_MISC

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2021
Vulnerability Reserved
Jan 4, 2021

CVE-2021-21979 Data

JSON