CVE-2021-21979

Published Mar 3, 2021
Last updated 3 years ago
CVSS high 7.3
Overview

Description: In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application.
Source: security@vmware.com
NVD status: Analyzed
Risk scores

CVSS 3.1

Type: Primary
Base score: 7.3
Impact score: 3.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity: HIGH
CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P
Weaknesses

nvd@nist.gov: CWE-798
Hype score: Not currently trending
Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1C7CED2A-9A85-419B-ADFE-F6AE73E1555B",
            "versionEndIncluding": "6.0.2-debian-9-r22",
            "versionStartIncluding": "6.0.2-debian-9-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FCB1050D-3846-4787-8A7B-43A308E5C21A",
            "versionEndIncluding": "6.4.0-debian-9-r31",
            "versionStartIncluding": "6.4.0-debian-9-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3E7032B5-FF3E-45D7-8F77-E678D93E7278",
            "versionEndIncluding": "6.5.2-debian-9-r20",
            "versionStartIncluding": "6.5.2-debian-9-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "243D681C-4017-49CB-8059-EA8BE15A6056",
            "versionEndIncluding": "6.8.0-debian-9-r26",
            "versionStartIncluding": "6.8.0-debian-9-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "04949BF0-3329-411A-9DCC-44143ADEF25B",
            "versionEndIncluding": "6.12.0-debian-10-r33",
            "versionStartIncluding": "6.12.0-debian-9-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "CF1507FE-A93F-44E5-BB60-C88CD49EEA4E",
            "versionEndIncluding": "6.18.0-debian-10-r21",
            "versionStartIncluding": "6.18.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4262A5D9-7BBD-4782-9260-486124D4A800",
            "versionEndIncluding": "6.18.3-debian-10-r22",
            "versionStartIncluding": "6.18.3-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4EA20993-0FF6-498D-90E0-9D48ECCE1E34",
            "versionEndIncluding": "6.18.8-debian-10-r110",
            "versionStartIncluding": "6.18.8-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "01035E72-A4B1-4B66-AEBA-680D7D81B8D5",
            "versionEndIncluding": "6.18.35-debian-10-r66",
            "versionStartIncluding": "6.18.35-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "635AE898-5216-4F6D-8908-ADAD2053318F",
            "versionEndExcluding": "6.20.0-debian-10-r107",
            "versionStartIncluding": "6.20.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C5BC1638-AFC3-49BB-9888-D04E5EDD4106",
            "versionEndIncluding": "7.0.0-debian-10-r7",
            "versionStartIncluding": "7.0.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "25B5235E-27DF-4032-94B7-ACD6CFA6F9B8",
            "versionEndIncluding": "7.3.0-debian-10-r20",
            "versionStartIncluding": "7.3.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B086553E-7236-4783-8C90-D876B35E1066",
            "versionEndIncluding": "7.6.0-debian-10-r38",
            "versionStartIncluding": "7.6.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BDFC7B0A-2D11-43AC-8493-2834C99049CB",
            "versionEndIncluding": "7.12.0-debian-10-r72",
            "versionStartIncluding": "7.12.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5FBFEC8E-B9EC-45CF-870E-9EED6ECFC74C",
            "versionEndIncluding": "7.25.0-debian-10-r16",
            "versionStartIncluding": "7.25.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DC7AA5BC-9842-4C73-96E7-F819467B7ADB",
            "versionEndIncluding": "7.28.0-debian-10-r50",
            "versionStartIncluding": "7.28.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AB4F98CC-3DE0-4D18-896A-13CFC35256EA",
            "versionEndExcluding": "7.30.1-debian-10-r108",
            "versionStartIncluding": "7.30.1-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6B1F16C0-2044-4B62-9B19-43BBC2A47E23",
            "versionEndIncluding": "8.0.1-debian-10-r7",
            "versionStartIncluding": "8.0.1-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EE8EB91F-033E-4479-8A36-F72FCC8F5DBE",
            "versionEndIncluding": "8.0.3-debian-10-r18",
            "versionStartIncluding": "8.0.3-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7853E367-D088-4879-AB1A-80ADC8C2184B",
            "versionEndIncluding": "8.1.0-debian-10-r7",
            "versionStartIncluding": "8.1.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BA18569B-C219-4455-BF4C-46E414CE5432",
            "versionEndIncluding": "8.2.0-debian-10-r8",
            "versionStartIncluding": "8.2.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "50931BC5-469F-48AD-82C1-DF6E3354B2CF",
            "versionEndIncluding": "8.4.0-debian-10-r10",
            "versionStartIncluding": "8.4.0-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "05D61B80-5874-440B-BD47-1FFA37A595C9",
            "versionEndIncluding": "8.4.1-debian-10-r6",
            "versionStartIncluding": "8.4.1-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E1D840C7-6F4A-4BA9-9C3C-5499991051B1",
            "versionEndIncluding": "8.4.2-debian-10-r4",
            "versionStartIncluding": "8.4.2-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A2CB8B4A-7676-486B-8D04-F10A5FCA864D",
            "versionEndIncluding": "8.4.3-debian-10-r6",
            "versionStartIncluding": "8.4.3-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9A8F496F-5FFA-4CCD-8DE9-A7750E2C93B7",
            "versionEndIncluding": "8.4.4-debian-10-r6",
            "versionStartIncluding": "8.4.4-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AF0E5F60-33C6-42FB-8046-5F11904E1042",
            "versionEndIncluding": "8.5.5-debian-10-r11",
            "versionStartIncluding": "8.5.5-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "096D7491-1E6D-4879-865C-1188D4DDBB28",
            "versionEndIncluding": "8.5.6-debian-10-r13",
            "versionStartIncluding": "8.5.6-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EA7227A6-F123-403C-BD15-3EB2189505FD",
            "versionEndIncluding": "8.5.7-debian-10-r6",
            "versionStartIncluding": "8.5.7-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4BBC7AAA-1BB2-4B13-BF9F-AB4DC4AAE972",
            "versionEndIncluding": "8.5.8-debian-10-r5",
            "versionStartIncluding": "8.5.8-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9B55A310-5C1C-4DA3-B618-146DA68B6F57",
            "versionEndIncluding": "8.5.9-debian-10-r25",
            "versionStartIncluding": "8.5.9-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:*:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2AC8F0ED-0AAF-48D8-9A43-6AB3D70AB991",
            "versionEndIncluding": "8.5.10-debian-10-r6",
            "versionStartIncluding": "8.5.10-debian-10-r0"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:6.19.0-debian-10-r0:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0441223A-AF20-402D-9953-2DB29FF07232"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:7.29.0-debian-10-r0:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "12D9A722-790F-4244-9209-19D61723AA89"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:7.30.0-debian-10-r0:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "888EAFDD-8BC1-4C92-9AD8-6302D72A3674"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:8.3.0-debian-10-r0:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "640CB6F5-F58D-402D-8F11-786145B2F920"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:8.5.2-debian-10-r0:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A34EA38A-F55A-4448-9D2D-A89D816866EC"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:8.5.2-debian-10-r1:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "66151425-8125-4C52-9320-7C471A072436"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:8.5.3-debian-10-r0:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "588EB5F3-7A30-4DD9-976E-5A00B151B48A"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:8.5.4-debian-10-r0:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "849C9414-78C1-412C-91F3-43D3D3814FAD"
          },
          {
            "criteria": "cpe:2.3:a:bitnami:containers:8.5.4-debian-10-r1:*:*:*:*:laravel:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1D9B42D4-4856-400D-9590-7EC976A915E5"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]
Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References
