CVE-2021-21979

Name of the Vulnerable Software and Affected Versions Laravel container versions prior to 6.20.0-debian-10-r107 for Laravel 6 Laravel container versions prior to 7.30.1-debian-10-r108 for Laravel 7 Laravel container versions prior to 8.5.11-debian-10-r0 for Laravel 8

Description The issue concerns the generation of the /tmp/app/.env file in Bitnami Containers, where the value of APP KEY is fixed under certain conditions. This value is crucial for application security and should be randomly generated per installation. If the encryption key falls into malicious hands, it could be used to craft cookie values and exploit vulnerabilities related to PHP object serialization and unserialization, such as calling arbitrary class methods within the application.

Recommendations For Laravel 6 versions prior to 6.20.0-debian-10-r107, update to version 6.20.0-debian-10-r107 or later. For Laravel 7 versions prior to 7.30.1-debian-10-r108, update to version 7.30.1-debian-10-r108 or later. For Laravel 8 versions prior to 8.5.11-debian-10-r0, update to version 8.5.11-debian-10-r0 or later. As a temporary workaround, consider regenerating the APP KEY value to a random key for each affected Laravel installation until the updated version is applied.