CVE ID
CVE-2018-15133
Vulnerability Name
Laravel Deserialization of Untrusted Data Vulnerability
- Project: Laravel
- Product: Laravel Framework
Date
- Date Added: 2024-01-16
- Due Date: 2024-02-06
Description
Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).
Known To Be Used in Ransomware Campaigns?
Unknown
Action
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Additional Notes
https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30; https://nvd.nist.gov/vuln/detail/CVE-2018-15133
Related Security News
- Over 600 Laravel Apps Exposed to Remote Code Execution Due to Leaked APP_KEYs on GitHub
- AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services
Top comments (1)
The fix, don't add sensitive information to an env file. It is problem that has been addressed numerous times before. Just stop using env files in production, it is a developer tool.