nuclei-templates/http/cves/2021/CVE-2021-20031.yaml

id: CVE-2021-20031

info:
  name: SonicWall SonicOS 7.0 - Open Redirect
  author: gy741
  severity: medium
  description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.
  reference:
    - https://www.exploit-db.com/exploits/50414
    - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
    - http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20031
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-20031
    cwe-id: CWE-601
    epss-score: 0.0135
  metadata:
    max-request: 1
    google-query: inurl:"auth.html" intitle:"SonicWall"
  tags: sonicwall,redirect,edb,packetstorm,cve,cve2021

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{randstr}}.tld

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'https://{{randstr}}.tld/auth.html'
          - 'Please be patient as you are being re-directed'
        part: body
        condition: and

      - type: status
        status:
          - 200
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`id: CVE-2021-20031`

			`info:`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`name: SonicWall SonicOS 7.0 - Open Redirect`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`author: gy741`
Auto Generated CVE annotations [Wed Oct 20 22:40:20 UTC 2021] :robot: 2021-10-20 22:40:20 +00:00			`severity: medium`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/50414`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019`
			`- http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-20031`
Auto Generated CVE annotations [Wed Oct 20 22:40:20 UTC 2021] :robot: 2021-10-20 22:40:20 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 6.1`
Auto Generated CVE annotations [Wed Oct 20 22:40:20 UTC 2021] :robot: 2021-10-20 22:40:20 +00:00			`cve-id: CVE-2021-20031`
			`cwe-id: CWE-601`
Added CPE and EPSS Score to CVE Templates 2023-04-12 10:55:48 +00:00			`epss-score: 0.0135`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
Replace google-dork with google-query in all templates (#5328) * dos2unix to standardize line endings * Replace google-dork with google-query 2022-09-08 22:39:14 +00:00			`google-query: inurl:"auth.html" intitle:"SonicWall"`
Auto Generated CVE annotations [Sat Aug 27 04:41:18 UTC 2022] :robot: 2022-08-27 04:41:18 +00:00			`tags: sonicwall,redirect,edb,packetstorm,cve,cve2021`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`- raw:`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{randstr}}.tld`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`words:`
			`- 'https://{{randstr}}.tld/auth.html'`
			`- 'Please be patient as you are being re-directed'`
			`part: body`
			`condition: and`

			`- type: status`
			`status:`
			`- 200`