CVE-2021-23263
published 2021-12-02CVE-2021-23263: Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.58%
72.5th percentile
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| crafter_software | crafter_cms | >= 3.1 < 3.1.15 | 3.1.15 |
| craftercms | crafter_cms | >= 3.1.0 < 3.1.15 | 3.1.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor web server logs for repeated requests to /.git/config and other paths under /.git/ — this is a key indicator of active reconnaissance for CVE-2021-23263 exploitation. ↗
- →Traffic crawling /.git/ paths is tracked under the GreyNoise 'Git Config Crawler' tag; 95% of IPs observed engaging in this behavior over the past 90 days are classified as malicious. ↗
- →Source IPs are predominantly linked to cloud infrastructure providers (Cloudflare, Amazon, DigitalOcean); do not rely solely on ASN-based blocking as a detection bypass is trivial. ↗
- →None of the scanning IPs are spoofed, so source IP-based detection and blocking is reliable for this activity. ↗
- ·The vulnerability allows unauthenticated read of textual content only — binary files within /.git/* are not accessible via this path traversal/FreeMarker exposure. ↗
- ·If the full .git directory is exposed (beyond just config), attackers may reconstruct the entire codebase including commit history, which may contain credentials or sensitive logic. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rg56-4qhp-cj7h: Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /
ghsa_unreviewed·2021-12-03
CVE-2021-23263 [HIGH] CWE-668 GHSA-rg56-4qhp-cj7h: Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
VulnCheck
craftercms crafter_cms Transmission of Private Resources into a New Sphere ('Resource Leak')
vulncheck·2021·CVSS 5.9
CVE-2021-23263 [MEDIUM] craftercms crafter_cms Transmission of Private Resources into a New Sphere ('Resource Leak')
craftercms crafter_cms Transmission of Private Resources into a New Sphere ('Resource Leak')
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).
Affected: craftercms crafter_cms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf; https://www.greynoise.io/blog/spike-git-configuration-crawling-risk-codebase-exposure
No detection rules found.
No public exploits indexed.
2021-12-02
Published
Exploited in the wild