Miggo Logo

CVE-2021-23266: Log value insertion in craftercms

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.47578%
Published
5/17/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.craftercms:craftercmsmaven>= 3.1.0, < 3.1.183.1.18

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided patches only modify environment configuration scripts (crafter-setenv.sh) to add the '-Dlog4j2.formatMsgNoLookups=true' JVM flag. This is a mitigation measure that disables Log4j2 message lookups, addressing improper output neutralization (CWE-117) by preventing ${} pattern interpretation. The actual vulnerable functions would be in application code that logs unsanitized user input (e.g., URL parameters), but no application code changes are present in the provided patches. Runtime detection would require monitoring Log4j2 logging methods handling raw user input, but these functions aren't explicitly visible in the patch diffs.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *nonymous us*r **n *r**t * URL wit* t*xt t**t *n*s up in t** lo* vi*w*r *s is. T** t*xt **n t**n in*lu** t*xtu*l m*ss***s to misl*** t** **ministr*tor.

Reasoning

T** provi*** p*t***s only mo*i*y *nvironm*nt *on*i*ur*tion s*ripts (`*r**t*r-s*t*nv.s*`) to *** t** '-*lo**j*.*orm*tMs*NoLookups=tru*' JVM *l**. T*is is * miti**tion m**sur* t**t *is**l*s Lo**j* m*ss*** lookups, ***r*ssin* improp*r output n*utr*liz*t