PT-2022-8311 · Unknown · Laravel Framework
Published
2022-05-14
·
Updated
2024-11-26
·
CVE-2019-9081
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Laravel Framework version 5.7.x
Description
A deserialization vulnerability exists in the Illuminate component of the Laravel Framework, which can lead to remote code execution if the content is controllable. This issue is related to the
destruct method of the PendingCommand class in PendingCommand.php. The vulnerability has been exploited in the wild, with a hybrid cryptojacking malware, dubbed "Lucifer", being discovered.Recommendations
For Laravel Framework version 5.7.x, consider updating to a newer version that includes a fix for this issue, as no specific workaround is provided for this version. As a temporary workaround, consider restricting access to the
PendingCommand class to minimize the risk of exploitation.Exploit
Fix
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Laravel Framework