CVE-2021-23258

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-23258

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-23258.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-23258

Published

2021-12-02T16:15:07Z

Modified

2025-02-19T03:16:42.060695Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).

References

https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120101

Affected packages

Git / github.com/craftercms/craftercms

Affected ranges

Type: GIT
Repo: https://github.com/craftercms/craftercms
Events: Introduced

8b4368c37a3ccdddbd37c1dd915d8352b3c6f1ef

Fixed

2cb0bd34e685080060906d7d83a5d16b9f303a49

Affected versions

v3.*

v3.1.0

v3.1.1

v3.1.10

v3.1.11

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9