7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-40634

CVE-2022-40634: CrafterCMS Crafter Studio Improperly Controls Dynamically-Managed Code Resources

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker SSTI.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-40634

CVE-2022-40634:

7.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.craftercms:crafter-studio	maven	>= 3.1.0, < 3.1.23	3.1.23

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly involves FreeMarker SSTI to execute OS commands. FreeMarker's default configurations are unsafe when combined with untrusted templates, as they allow instantiation of arbitrary classes. CrafterCMS's advisory history (e.g., CVE-2020-25803) shows recurring issues with FreeMarker's ObjectWrapper allowing static method access. The FreeMarkerScriptProcessor class is a logical component responsible for template processing, and improper configuration here would directly enable the described attack vector. The lack of patch details is mitigated by historical patterns in CrafterCMS vulnerabilities and FreeMarker's known security requirements.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-40634: CrafterCMS Crafter Studio Improperly Controls Dynamically-Managed Code Resources

CVE-2022-40634:

7.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.2

7.2

Technical Details

CVE-2022-40634: CrafterCMS Crafter Studio Improperly Controls Dynamically-Managed Code Resources

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI