CVE-2017-16894

nvd nist nuclei

Published: Nov 20, 2017Modified: May 13, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

In Laravel framework through 5.5.21, remote attackers can obtain sensitive information (such as externally usable passwords) via a direct request for the /.env URI. NOTE: this CVE is only about Laravel framework's writeNewEnvironmentFileWith function in src/Illuminate/Foundation/Console/KeyGenerateCommand.php, which uses file_put_contents without restricting the .env permissions. The .env filename is not used exclusively by Laravel framework.

Affected (1)

Products: Laravel: Laravel

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Laravel Laravel	Up to 5.5.21

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (6)

http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html

Source: cve@mitre.org

http://whiteboyz.xyz/laravel-env-file-vuln.html

Source: cve@mitre.org

Third Party AdvisoryURL Repurposed

https://twitter.com/finnwea/status/967709791442341888

Source: cve@mitre.org

http://packetstormsecurity.com/files/153641/PHP-Laravel-Framework-Token-Unserialize-Remote-Command-Execution.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://whiteboyz.xyz/laravel-env-file-vuln.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryURL Repurposed

https://twitter.com/finnwea/status/967709791442341888

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.