CVE-2021-29487 – CVE-2021-29487 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2021-29487?

CVE-2021-29487 has a CVSS score of 7.4 (HIGH). CVE-2021-29487 is an authentication bypass vulnerability in October CMS that allows unauthenticated attackers to take over user accounts. Attackers need the Laravel secret key to exploit this vulnerability by crafting malicious requests. This affects frontend users of October CMS servers running vulnerable versions.

📋 TL;DR

CVE-2021-29487 is an authentication bypass vulnerability in October CMS that allows unauthenticated attackers to take over user accounts. Attackers need the Laravel secret key to exploit this vulnerability by crafting malicious requests. This affects frontend users of October CMS servers running vulnerable versions.

💻 Affected Systems

Products:

October CMS

Versions: All versions before Build 472 and v1.1.5

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects frontend users. Requires Laravel secret key for exploitation, which should be properly secured in production environments.

📦 What is this software?

October by Octobercms

View all CVEs affecting October →

October by Octobercms

View all CVEs affecting October →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any frontend user, potentially leading to unauthorized access, data theft, privilege escalation, and full compromise of the CMS instance.

🟠

Likely Case

Targeted account takeover of specific users, potentially leading to unauthorized content modification, data access, or further attacks within the compromised account's permissions.

🟢

If Mitigated

Limited impact if Laravel secret key is properly secured and not accessible to attackers, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires obtaining the Laravel secret key, which adds a barrier but is still feasible if the key is exposed or compromised through other means.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Build 472 or v1.1.5

Vendor Advisory: https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5

Restart Required: No

Instructions:

1. Update October CMS to Build 472 or v1.1.5. 2. For October CMS v1.0.x: Update to Build 472 via the dashboard or command line. 3. For October CMS v1.1.x: Update to v1.1.5 via composer: composer require october/system:v1.1.5. 4. Clear application cache if needed.

🔧 Temporary Workarounds

Secure Laravel Secret Key

linux

Ensure the Laravel secret key (APP_KEY in .env file) is properly secured and not accessible to unauthorized parties.

chmod 600 .env
chown www-data:www-data .env

Restrict Access to Frontend

all

Implement network-level restrictions to limit access to the October CMS frontend to trusted users only.

🧯 If You Can't Patch

Implement strict access controls and monitor for suspicious authentication attempts
Regularly rotate Laravel secret keys and ensure they are never exposed in logs or error messages

🔍 How to Verify

Check if Vulnerable:

Check October CMS version via dashboard or by examining composer.lock file for october/system package version.

Check Version:

php artisan october:version

Verify Fix Applied:

Verify version is Build 472 or higher for v1.0.x, or v1.1.5 or higher for v1.1.x. Check that the patched files from GitHub commits are present.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Failed login attempts followed by successful logins from different IPs
Requests with manipulated session/cookie data

Network Indicators:

HTTP requests with specially crafted cookies or session data targeting October CMS endpoints

SIEM Query:

source="web_logs" AND (url_path="/account" OR url_path CONTAINS "october") AND (status_code=200 OR status_code=302) AND user_agent NOT IN expected_user_agents

📊 Metadata

CVE ID: CVE-2021-29487

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-287

Published: August 26, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 Patch,Third Party Advisory
https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 Patch,Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5 Patch,Third Party Advisory
https://github.com/octobercms/library/commit/016a297b1bec55d2e53bc889458ed2cb5c3e9374 Patch,Third Party Advisory
https://github.com/octobercms/library/commit/5bd1a28140b825baebe6becd4f7562299d3de3b9 Patch,Third Party Advisory
https://github.com/octobercms/october/security/advisories/GHSA-h76r-vgf3-j6w5 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29487, you might also want to check these: