Authenticated users, regardless of their privileges (User or Admin), can exploit a new line injection in the configuration edition feature (e.g. mail settings) and gain arbitrary code execution on the server.
This issue was addressed by improving UpdateConfigCommandHandler
and preventing the use of new lines characters in new configuration values.
Only allow trusted source IP addresses to access to the administration dashboard.
If you have any questions or comments about this advisory, you can contact:
blog.sonarsource.com/cachet-code-execution-via-laravel-configuration-injection
github.com/fiveai/Cachet
github.com/fiveai/Cachet/commit/6442976c25930cb370c65a22784b9caee7ed1de2
github.com/fiveai/Cachet/releases/tag/v2.5.1
github.com/fiveai/Cachet/security/advisories/GHSA-9jxw-cfrh-jxq6
nvd.nist.gov/vuln/detail/CVE-2021-39172