Cachet vulnerable to new line injection during configuration edition


### Impact Authenticated users, regardless of their privileges (_User_ or _Admin_), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server. ### Patches This issue was addressed by improving `UpdateConfigCommandHandler` and preventing the use of new lines characters in new configuration values. ### Workarounds Only allow trusted source IP addresses to access to the administration dashboard. ### References - https://blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection ### For more information If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.

Affected Software

CPE Name Name Version
cachethq/cachet 0.1.0-alpha
cachethq/cachet 1.0.0
cachethq/cachet 1.1.0
cachethq/cachet 1.1.1
cachethq/cachet 1.2.0
cachethq/cachet 1.2.1
cachethq/cachet 2.0.0
cachethq/cachet 2.0.0-RC1
cachethq/cachet 2.0.0-RC2
cachethq/cachet 2.0.0-RC3
cachethq/cachet 2.0.0-RC4
cachethq/cachet 2.0.0-RC5
cachethq/cachet 2.0.0-beta1
cachethq/cachet 2.0.0-beta2
cachethq/cachet 2.0.1
cachethq/cachet 2.0.2
cachethq/cachet 2.0.3
cachethq/cachet 2.0.4
cachethq/cachet 2.1.0
cachethq/cachet 2.1.0-RC1
cachethq/cachet 2.1.0-RC2
cachethq/cachet 2.1.1
cachethq/cachet 2.1.2
cachethq/cachet 2.2.0
cachethq/cachet 2.2.0-RC1
cachethq/cachet 2.2.1
cachethq/cachet 2.2.2
cachethq/cachet 2.2.3
cachethq/cachet 2.2.4
cachethq/cachet 2.3.0
cachethq/cachet 2.3.0-RC1
cachethq/cachet 2.3.0-RC2
cachethq/cachet 2.3.0-RC3
cachethq/cachet 2.3.0-RC4
cachethq/cachet 2.3.0-RC5
cachethq/cachet 2.3.0-RC6
cachethq/cachet 2.3.1
cachethq/cachet 2.3.10
cachethq/cachet 2.3.11
cachethq/cachet 2.3.12
cachethq/cachet 2.3.13
cachethq/cachet 2.3.14
cachethq/cachet 2.3.15
cachethq/cachet 2.3.16
cachethq/cachet 2.3.17
cachethq/cachet 2.3.18
cachethq/cachet 2.3.2
cachethq/cachet 2.3.3
cachethq/cachet 2.3.4
cachethq/cachet 2.3.5
cachethq/cachet 2.3.6
cachethq/cachet 2.3.7
cachethq/cachet 2.3.8
cachethq/cachet 2.3.9