How severe is CVE-2021-21979?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.3 out of 10.

What type of vulnerability is CVE-2021-21979?

This is classified as CWE-798, which is a common weakness in software security.

CVE-2021-21979 - HIGH Severity | CVSS 7.3

Vulnerability Description

In Bitnami Containers, all Laravel container versions prior to: 6.20.0-debian-10-r107 for Laravel 6, 7.30.1-debian-10-r108 for Laravel 7 and 8.5.11-debian-10-r0 for Laravel 8, the file /tmp/app/.env is generated at the time that the docker image bitnami/laravel was built, and the value of APP_KEY is fixed under certain conditions. This value is crucial for the security of the application and must be randomly generated per Laravel installation. If your application's encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherent to PHP object serialization / unserialization, such as calling arbitrary class methods within your application.

Related Vulnerabilities

CVE-2017-12726

HIGH

CVSS:7.3(High)

A Use of Hard-coded Password issue was discovered in Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump, Version 1.1, 1.5, and 1.6. Telnet on the pump uses hardcoded credentials, which can b...

CWE-7982017

CVE-2017-9956

HIGH

CVSS:7.3(High)

An authentication bypass vulnerability exists in Schneider Electric's U.motion Builder software versions 1.2.1 and prior in which the system contains a hard-coded valid session. An attacker can use th...

CWE-7982017

CVE-2018-10813

HIGH

CVSS:7.3(High)

In Dedos-web 1.0, the cookie and session secrets used in the Express.js application have hardcoded values that are visible in the source code published on GitHub. An attacker can edit the contents of ...

CWE-7982018

CVE-2018-10966

HIGH

CVSS:7.3(High)

An issue was discovered in GamerPolls 0.4.6, related to config/environments/all.js and config/initializers/02_passport.js. An attacker can edit the Passport.js contents of the session cookie to contai...

CWE-7982018

CVE-2018-15360

HIGH

CVSS:7.3(High)

An attacker without authentication can login with default credentials for privileged users in Eltex ESP-200 firmware version 1.2.0.

CWE-7982018

CVE-2019-7279

HIGH

CVSS:7.3(High)

Optergy Proton/Enterprise devices have Hard-coded Credentials.

CWE-7982019