CVE-2017-16894

Name of the Vulnerable Software and Affected Versions Laravel framework versions prior to 5.5.22

Description The issue allows remote attackers to obtain sensitive information, such as externally usable passwords, via a direct request for the /.env URI. This is due to the writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file put contents without restricting the .env permissions.

Recommendations For Laravel framework versions prior to 5.5.22, update to version 5.5.22 or later to resolve the issue. As a temporary workaround, consider restricting access to the /.env file to minimize the risk of exploitation.