CVE-2021-23264— Transmission of Private Resources into a New Sphere ('Resource Leak') and Exposure of Resource to Wrong Sphere in Crafter Search
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-23264
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Transmission of Private Resources into a New Sphere ('Resource Leak') and Exposure of Resource to Wrong Sphere in Crafter Search
Source: NVD (National Vulnerability Database)
Vulnerability Description
Installations, where crafter-search is not protected, allow unauthenticated remote attackers to create, view, and delete search indexes.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
将私有的资源传输到一个新的空间(资源泄露)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Crafter CMS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Crafter CMS是一套面向数字体验应用程序的开源内容管理系统(CMS)。 Crafter CMS 3.1到3.1.15版本存在安全漏洞,该漏洞源于软件存在资源泄漏,将私有资源传递到新领域。在Crafter Search中将资源暴露到错误的领域。这允许未经身份验证的远程攻击者可利用该漏洞创建、查看和删除搜索索引。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Crafter Software | Crafter CMS | 3.1 ~ 3.1.15 | - |
II. Public POCs for CVE-2021-23264
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2021-23264
请登录查看更多情报信息。
Same Patch Batch · Crafter Software · 2021-12-02 · 7 CVEs total
| CVE-2021-23260 | 6.5 MEDIUM | Stored XSS Vulnerability in File Name of the File Upload function |
| CVE-2021-23263 | 5.9 MEDIUM | Transmission of Private Resources into a New Sphere ('Resource Leak') in Crafter Engine |
| CVE-2021-23261 | 4.5 MEDIUM | Overriding the system configuration file causes a denial of service |
| CVE-2021-23258 | 4.2 MEDIUM | Spring SPEL Expression Language Injection |
| CVE-2021-23259 | 4.2 MEDIUM | Groovy Sandbox Bypass |
| CVE-2021-23262 | 4.2 MEDIUM | Snakeyaml deserialization vulnerability bypass |
IV. Related Vulnerabilities
Same product: Crafter CMS
- CVE-2022-40635
Improper Control of Dynamically-Managed Code Resources in Cr - CVE-2022-40634
Improper Control of Dynamically-Managed Code Resources in Cr - CVE-2021-23267
Improper Control of Dynamically-Managed Code Resources in Cr - CVE-2021-23266
Improper Output Neutralization for Logs in Crafter Studio - CVE-2021-23265
Improper Privilege Management in Crafter Studio
Same vendor: Crafter Software
- CVE-2022-40635
Improper Control of Dynamically-Managed Code Resources in Cr - CVE-2022-40634
Improper Control of Dynamically-Managed Code Resources in Cr - CVE-2021-23267
Improper Control of Dynamically-Managed Code Resources in Cr - CVE-2021-23266
Improper Output Neutralization for Logs in Crafter Studio - CVE-2021-23265
Improper Privilege Management in Crafter Studio
V. Comments for CVE-2021-23264
No comments yet