cbcvebase.
CVE-2021-23263
published 2021-12-02

CVE-2021-23263: Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).

PriorityP278high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
1.58%
72.5th percentile
Unauthenticated remote attackers can read textual content via FreeMarker including files /scripts/*, /templates/* and some of the files in /.git/* (non-binary).

Affected

2 ranges
VendorProductVersion rangeFixed in
crafter_softwarecrafter_cms>= 3.1 < 3.1.153.1.15
craftercmscrafter_cms>= 3.1.0 < 3.1.153.1.15

Detection & IOCsextracted from sources · hover to see the quote

path/scripts/*
path/templates/*
path/.git/*
path/.git/config
  • Monitor web server logs for repeated requests to /.git/config and other paths under /.git/ — this is a key indicator of active reconnaissance for CVE-2021-23263 exploitation.
  • Traffic crawling /.git/ paths is tracked under the GreyNoise 'Git Config Crawler' tag; 95% of IPs observed engaging in this behavior over the past 90 days are classified as malicious.
  • Source IPs are predominantly linked to cloud infrastructure providers (Cloudflare, Amazon, DigitalOcean); do not rely solely on ASN-based blocking as a detection bypass is trivial.
  • None of the scanning IPs are spoofed, so source IP-based detection and blocking is reliable for this activity.
  • ·The vulnerability allows unauthenticated read of textual content only — binary files within /.git/* are not accessible via this path traversal/FreeMarker exposure.
  • ·If the full .git directory is exposed (beyond just config), attackers may reconstruct the entire codebase including commit history, which may contain credentials or sensitive logic.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.