Laravel 5.8 marked as insecure when it's not in fact vulnerable to CVE-2021-3129

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily

MIT License

2.72k stars 106 forks source link

Laravel 5.8 marked as insecure when it's not in fact vulnerable to CVE-2021-3129 #69

Closed paulcdejean closed 3 years ago

paulcdejean commented 3 years ago

That version of laravel, as well as older versions, does not include Ignition, which was the package that had code that was exploited in that RCE. So it's not vulnerable to that exploit, so a lot of versions of laravel that predate the inclusion of Ignition may have been erroneously added when there's not actually a security advisory for them.

jdreesen commented 3 years ago

I think you should report that to https://github.com/FriendsOfPHP/security-advisories because that's where the data comes from.

See: https://github.com/Roave/SecurityAdvisories#sources

Ocramius commented 3 years ago

Indeed, either there or through github security advisories: it will be reflected here after publishing there (sync happens hourly)