CVE-2021-23264
📋 TL;DR
CVE-2021-23264 allows unauthenticated remote attackers to create, view, and delete search indexes in unprotected crafter-search installations. This affects Crafter CMS deployments where the search component is exposed without authentication. Attackers can manipulate search functionality to disrupt operations or gather sensitive information.
💻 Affected Systems
- Crafter CMS
📦 What is this software?
Crafter Cms by Craftercms
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of search functionality allowing data destruction, service disruption, and potential data exfiltration from search indexes.
Likely Case
Unauthorized modification or deletion of search indexes causing service degradation and operational impact.
If Mitigated
No impact if proper authentication controls are implemented on crafter-search endpoints.
🎯 Exploit Status
Simple HTTP requests to unprotected endpoints can trigger the vulnerability. No special tools required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.18 and later
Vendor Advisory: https://docs.craftercms.org/en/3.1/security/advisory.html#cv-2021120107
Restart Required: Yes
Instructions:
1. Upgrade to Crafter CMS 3.1.18 or later. 2. Apply the patch from the vendor advisory. 3. Restart the Crafter CMS service. 4. Verify authentication is enabled on crafter-search endpoints.
🔧 Temporary Workarounds
Enable Authentication on Search Endpoints
allConfigure authentication requirements for all crafter-search API endpoints
Configure authentication in Crafter CMS security settings for /api/1/search/* endpoints
Network Access Control
linuxRestrict network access to crafter-search endpoints using firewall rules
iptables -A INPUT -p tcp --dport [crafter-port] -s [trusted-networks] -j ACCEPT
iptables -A INPUT -p tcp --dport [crafter-port] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate crafter-search from untrusted networks
- Deploy a web application firewall (WAF) with rules to block unauthorized access to search management endpoints
🔍 How to Verify
Check if Vulnerable:
Attempt unauthenticated HTTP requests to crafter-search endpoints (e.g., GET /api/1/search/index/create) and check if they succeed without credentials.Check Version:
Check Crafter CMS version in administration panel or via system logsVerify Fix Applied:
Verify that unauthenticated requests to crafter-search endpoints return authentication errors (401/403) and that the system version is 3.1.18 or higher.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated requests to /api/1/search/* endpoints
- Search index creation/deletion from unauthenticated sources
- HTTP 200 responses on search management endpoints without auth headers
Network Indicators:
- Unusual volume of requests to search API endpoints
- Search index manipulation patterns from external IPs
SIEM Query:
source="crafter.log" AND (uri_path="/api/1/search/*" AND NOT (user!="anonymous" OR auth_success="true"))