Impact

An attacker can exploit this vulnerability to bypass authentication using a specially crafted persist cookie.

• To exploit this vulnerability, an attacker must obtain a Laravel’s secret key for cookie encryption and signing.
• Due to the logic of how this mechanism works, a targeted user account must be logged in while
  the attacker is exploiting the vulnerability.
• Authorization via persist cookie not shown in access logs.

Patches

• Issue has been patched in Build 472 and v1.1.5
• Shortened patch instructions

Workarounds

Apply octobercms/library@016a297 and octobercms/library@5bd1a28 to your installation manually if you are unable to upgrade.

[Update 2022-01-20] Shortened patch instructions can be found here.

Recommendations

We recommend the following steps to make sure your server stays secure:

• Keep server OS and system software up to date.
• Keep October CMS software up to date.
• Use a multi-factor authentication plugin.
• Change the default backend URL or block public access to the backend area.
• Include the Roave/SecurityAdvisories Composer package to ensure that your application doesn't have installed dependencies with known security vulnerabilities.

References

Bugs found as part of Solar Security CMS Research. Credits to:
• Andrey Basarygin
• Andrey Guzei
• Mikhail Khramenkov
• Alexander Sidukov
• Maxim Teplykh

For more information

If you have any questions or comments about this advisory:

• Email us at hello@octobercms.com

References

• GHSA-h76r-vgf3-j6w5
• octobercms/library@016a297
• https://nvd.nist.gov/vuln/detail/CVE-2021-29487
• octobercms/library@5bd1a28