GHSA-5644-3vgq-2ph5

Source

https://github.com/advisories/GHSA-5644-3vgq-2ph5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-5644-3vgq-2ph5/GHSA-5644-3vgq-2ph5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5644-3vgq-2ph5

Aliases

CVE-2025-6384

Published

2025-06-19T21:31:20Z

Modified

2025-06-20T16:29:49.705060Z

Severity

7.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator

Summary

Crafter Studio Groovy Sandbox Bypass

Details

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution).

This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Database specific

{
    "nvd_published_at": "2025-06-19T21:15:27Z",
    "github_reviewed_at": "2025-06-20T13:28:38Z",
    "github_reviewed": true,
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-913"
    ]
}

References

Affected packages

Maven / org.craftercms:crafter-studio

Package

Name: org.craftercms:crafter-studio; View open source insights on deps.dev
Purl: pkg:maven/org.craftercms/crafter-studio

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.3.0

Affected versions

4.*

4.0.1

4.0.2

4.0.4

4.0.5

4.0.6

4.1.5

4.1.6

4.1.7

4.1.8

4.1.9

4.2.1

4.2.2