CVE-2021-23266: Log value insertion in craftercms
4.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.47578%
CWE
Published
5/17/2022
Updated
2/3/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.craftercms:craftercms | maven | >= 3.1.0, < 3.1.18 | 3.1.18 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The provided patches only modify environment configuration scripts (crafter-setenv.sh
) to add the '-Dlog4j2.formatMsgNoLookups=true' JVM flag. This is a mitigation measure that disables Log4j2 message lookups, addressing improper output neutralization (CWE-117) by preventing ${}
pattern interpretation. The actual vulnerable functions would be in application code that logs unsanitized user input (e.g., URL parameters), but no application code changes are present in the provided patches. Runtime detection would require monitoring Log4j2 logging methods handling raw user input, but these functions aren't explicitly visible in the patch diffs.