Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).
References
Link | Resource |
---|---|
https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120101 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: crafter
Published: 2021-12-01T00:00:00
Updated: 2021-12-02T15:40:54
Reserved: 2021-01-08T00:00:00
Link: CVE-2021-23258
JSON object: View
NVD Information
Status : Analyzed
Published: 2021-12-02T16:15:07.437
Modified: 2021-12-03T18:17:36.290
Link: CVE-2021-23258
JSON object: View
Redhat Information
No data.
CWE