PRP: Request CVE-2021-3129 - Laravel <= v8.4.2 debug mode: Remote code execution

[timoles]

Hey Tsunami Team

I would like to start the implementation for a plugin that detects CVE-2021-3129.

• The vulnerability was discovered recently and a patched version is already available. - (Patched for Laravel > v8.4.2) (A blogpost describing the vulnerability)
• The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• The vulnerability should have a relatively large impact radius. - Laravel is a commonly used PHP Web Framework.
• The vulnerability should be remotely exploitable without authentication and user interaction. - Thats the case.

Please let me know if this is in scope to start with its development.

[magl0]

Hi @timoles,

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Thanks!

[magl0]

Hi @timoles,

Your PR has been reviewed by the scanner team and will be merged shortly after internal approval. This usually means a reward will be granted :) Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!

[magl0]

Hi @timoles,

Your PR has been reviewed by the scanner team and will be merged shortly after internal approval. This usually means a reward will be granted :) Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.

Thanks!