CVE-2021-45364 – This CVE describes a code execution vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-45364?

CVE-2021-45364 has a CVSS score of 9.8 (CRITICAL). This CVE describes a code execution vulnerability in Statamic CMS versions through 3.2.26 via SettingsController.php. However, the vendor indicates this CVE was published in error and the affected code was never used in any Statamic product. Organizations using Statamic should verify their version but note the vendor's position.

📋 TL;DR

This CVE describes a code execution vulnerability in Statamic CMS versions through 3.2.26 via SettingsController.php. However, the vendor indicates this CVE was published in error and the affected code was never used in any Statamic product. Organizations using Statamic should verify their version but note the vendor's position.

💻 Affected Systems

Products:

Statamic CMS

Versions: Through 3.2.26

Operating Systems: All platforms running Statamic

Default Config Vulnerable: ✅ No

Notes: Vendor states affected code was never used in any Statamic product - this CVE may be invalid

📦 What is this software?

Statamic by Statamic

View all CVEs affecting Statamic →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution allowing complete system compromise if the vulnerability existed and was exploited

🟠

Likely Case

No impact according to vendor statement that affected code was never used in production

🟢

If Mitigated

No impact if vendor statement is accurate

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: LOW with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: UNKNOWN

Limited information available due to vendor dispute of CVE validity

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch required per vendor statement. Consider updating to latest Statamic version for general security improvements.

🔧 Temporary Workarounds

Verify Statamic installation

linux

Check if your Statamic installation contains the affected SettingsController.php code

grep -r "SettingsController" /path/to/statamic/installation

🧯 If You Can't Patch

Monitor vendor communications for any updates regarding this CVE
Implement general web application security controls (WAF, input validation, least privilege)

🔍 How to Verify

Check if Vulnerable:

Check Statamic version and verify if SettingsController.php contains vulnerable code

Check Version:

Check Statamic configuration files or composer.json for version information

Verify Fix Applied:

Confirm Statamic version is 3.2.27+ or verify with vendor that installation is unaffected

📡 Detection & Monitoring

Log Indicators:

Unusual requests to SettingsController endpoints
Unexpected file modifications

Network Indicators:

Suspicious requests to admin/settings paths

SIEM Query:

web_access_logs WHERE uri CONTAINS 'settings' AND status_code = 200

📊 Metadata

CVE ID: CVE-2021-45364

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: February 10, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/Stakcery/Web-Security/issues/2 Exploit,Issue Tracking,Third Party Advisory
https://github.com/Stakcery/Web-Security/issues/2 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON