CVE-2021-23264: Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search
9.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.76898%
CWE
Published
12/16/2021
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.craftercms:crafter-search | maven | >= 3.1.0, < 3.1.15 | 3.1.15 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing authentication mechanisms in search index operations. The GitHub commit 0e256ef adds access token configuration (SEARCH_ACCESS_TOKEN) to both authoring and delivery environment configurations, specifically in server-config.properties files. This indicates that prior to version 3.1.15, these access token checks were absent in the corresponding API handler functions that manage search indexes (create/view/delete operations). The CWE-668 exposure aligns with unprotected resources being exposed to unauthenticated actors through these API endpoints.