Miggo Logo

CVE-2021-23264: Exposure of Resource to Wrong Sphere in org.craftercms:crafter-search

9.1

CVSS Score
3.1

Basic Information

EPSS Score
0.76898%
Published
12/16/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.craftercms:crafter-searchmaven>= 3.1.0, < 3.1.153.1.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authentication mechanisms in search index operations. The GitHub commit 0e256ef adds access token configuration (SEARCH_ACCESS_TOKEN) to both authoring and delivery environment configurations, specifically in server-config.properties files. This indicates that prior to version 3.1.15, these access token checks were absent in the corresponding API handler functions that manage search indexes (create/view/delete operations). The CWE-668 exposure aligns with unprotected resources being exposed to unauthenticated actors through these API endpoints.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Inst*ll*tions, w**r* *r**t*r-s**r** is not prot**t**, *llow un*ut**nti**t** r*mot* *tt**k*rs to *r**t*, vi*w, *n* **l*t* s**r** in**x*s.

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut**nti**tion m****nisms in s**r** in**x op*r*tions. T** *it*u* *ommit ******* ***s ****ss tok*n *on*i*ur*tion (S**R**_****SS_TOK*N) to *ot* *ut*orin* *n* **liv*ry *nvironm*nt *on*i*ur*tions, sp**i*i**lly in s*rv