DEV Community

Cover image for CVE-2018-15133: Laravel Deserialization of Untrusted Data Vulnerability
Freedom Coder
Freedom Coder

Posted on • Originally published at scyscan.com

CVE-2018-15133: Laravel Deserialization of Untrusted Data Vulnerability

CVE ID

CVE-2018-15133

Vulnerability Name

Laravel Deserialization of Untrusted Data Vulnerability

  • Project: Laravel
  • Product: Laravel Framework

Date

  • Date Added: 2024-01-16
  • Due Date: 2024-02-06

Description

Laravel Framework contains a deserialization of untrusted data vulnerability, allowing for remote command execution. This vulnerability may only be exploited if a malicious user has accessed the application encryption key (APP_KEY environment variable).

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30; https://nvd.nist.gov/vuln/detail/CVE-2018-15133

Related Security News

More CVEs Info

Common Vulnerabilities & Exposures (CVE) List

Top comments (1)

Collapse
 
xwero profile image
david duymelinck

The fix, don't add sensitive information to an env file. It is problem that has been addressed numerous times before. Just stop using env files in production, it is a developer tool.