CVE-2021-23258: Spring SPEL Expression Language Injection
First published: Thu Dec 02 2021(Updated: )
Authenticated users with Administrator or Developer roles may execute OS commands by SPEL Expression in Spring beans. SPEL Expression does not have security restrictions, which will cause attackers to execute arbitrary commands remotely (RCE).
Credit: security@craftersoftware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Craftercms Crafter Cms | >=3.1.0<3.1.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2021-23258?
CVE-2021-23258 is a vulnerability that allows authenticated users with Administrator or Developer roles to execute OS commands by using SPEL Expression in Spring beans.
How does CVE-2021-23258 affect Crafter CMS?
CVE-2021-23258 affects Crafter CMS versions 3.1.0 through 3.1.12.
What is the severity of CVE-2021-23258?
CVE-2021-23258 has a severity rating of 7.2 (high).
How can authenticated users exploit CVE-2021-23258?
Authenticated users with Administrator or Developer roles can exploit CVE-2021-23258 by executing arbitrary OS commands remotely using SPEL Expression.
How can I fix CVE-2021-23258?
To fix CVE-2021-23258, it is recommended to update Crafter CMS to a version beyond 3.1.12 and apply any necessary security patches.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/tags
- agent/description
- agent/first-publish-date
- agent/title
- agent/event
- vendor/craftercms
- canonical/craftercms crafter cms
- version/craftercms crafter cms/3.1.0