CVE-2021-3129
Published: 12 January 2021
Summary
CVE-2021-3129 is a critical-severity an unspecified weakness vulnerability in Facade Ignition. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Deeper analysis
Ignition before version 2.5.2, a component used in Laravel and other products, contains a vulnerability that permits unauthenticated remote code execution through insecure handling of file_get_contents() and file_put_contents(). The issue is exploitable specifically when debug mode is enabled in Laravel versions prior to 8.4.2, resulting in a CVSS 3.1 score of 9.8.
Unauthenticated attackers with network access can leverage the flaw to achieve arbitrary code execution on affected systems, gaining full control over confidentiality, integrity, and availability without requiring user interaction or credentials.
Public references, including a GitHub pull request for the Ignition project and detailed analyses on sites such as ambionics.io, point to updates in Ignition 2.5.2 and Laravel 8.4.2 as the primary mitigations, while multiple exploit proofs of concept have been published on PacketStorm.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-0599
Vulnerability details
Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.
- CWE(s)
- KEV Date Added
- 18 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely installation of vendor patches (Ignition 2.5.2 / Laravel 8.4.2) that eliminate the file_get_contents / file_put_contents RCE vector.
Mandates disabling non-essential capabilities such as debug mode, which is the specific precondition required to exploit the unauthenticated RCE.
Requires validation of untrusted input before it is passed to file_get_contents / file_put_contents, limiting the ability to write and execute arbitrary code.