nuclei-templates/http/cves/2021/CVE-2021-20031.yaml

id: CVE-2021-20031

info:
  name: SonicWall SonicOS 7.0 - Open Redirect
  author: gy741
  severity: medium
  description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.
  remediation: |
    Apply the latest security patch or update provided by SonicWall to mitigate the vulnerability.
  reference:
    - https://www.exploit-db.com/exploits/50414
    - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019
    - http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-20031
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-20031
    cwe-id: CWE-601
    epss-score: 0.01452
    epss-percentile: 0.86646
    cpe: cpe:2.3:h:sonicwall:nsa_2650:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: sonicwall
    product: nsa_2650
    google-query: inurl:"auth.html" intitle:"SonicWall"
  tags: cve,cve2021,sonicwall,redirect,edb,packetstorm

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{randstr}}.tld

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'https://{{randstr}}.tld/auth.html'
          - 'Please be patient as you are being re-directed'
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022059f740a31b60ed89fa96f917d460c88ee8f530001b4a7f379d899dc654d4e1e002210091c3f5cd2ea67e6382a8ed4ee86abb86ff080cb39045dc5cb218b105ba8d67b6:922c64590222798bb761d5b6d8e72950
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`id: CVE-2021-20031`

			`info:`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`name: SonicWall SonicOS 7.0 - Open Redirect`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`author: gy741`
Auto Generated CVE annotations [Wed Oct 20 22:40:20 UTC 2021] :robot: 2021-10-20 22:40:20 +00:00			`severity: medium`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`description: SonicWall SonicOS 7.0 contains an open redirect vulnerability. The values of the Host headers are implicitly set as trusted. An attacker can spoof a particular host header, allowing the attacker to render arbitrary links, obtain sensitive information, modify data, execute unauthorized operations. and/or possibly redirect a user to a malicious site.`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: \|`
			`Apply the latest security patch or update provided by SonicWall to mitigate the vulnerability.`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`reference:`
			`- https://www.exploit-db.com/exploits/50414`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0019`
			`- http://packetstormsecurity.com/files/164502/Sonicwall-SonicOS-7.0-Host-Header-Injection.html`
Dashboard Content Enhancements (#5704) Dashboard Content Enhancements 2022-10-19 21:11:27 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-20031`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/ARPSyndicate/cvemon`
Auto Generated CVE annotations [Wed Oct 20 22:40:20 UTC 2021] :robot: 2021-10-20 22:40:20 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 6.1`
Auto Generated CVE annotations [Wed Oct 20 22:40:20 UTC 2021] :robot: 2021-10-20 22:40:20 +00:00			`cve-id: CVE-2021-20031`
			`cwe-id: CWE-601`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.01452`
			`epss-percentile: 0.86646`
			`cpe: cpe:2.3:h:sonicwall:nsa_2650:-:::::::*`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: sonicwall`
product/queries updated 2024-05-31 19:23:20 +00:00			`product: nsa_2650`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`google-query: inurl:"auth.html" intitle:"SonicWall"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve,cve2021,sonicwall,redirect,edb,packetstorm`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`- raw:`
			`- \|`
			`GET / HTTP/1.1`
			`Host: {{randstr}}.tld`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: body`
Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim <gy741.kim@gmail.com> 2021-10-17 23:24:29 +00:00			`words:`
			`- 'https://{{randstr}}.tld/auth.html'`
			`- 'Please be patient as you are being re-directed'`
			`condition: and`

			`- type: status`
			`status:`
			`- 200`
Auto Template Signing [Sat Jun 1 06:52:59 UTC 2024] :robot: 2024-06-01 06:53:00 +00:00			`# digest: 4a0a00473045022059f740a31b60ed89fa96f917d460c88ee8f530001b4a7f379d899dc654d4e1e002210091c3f5cd2ea67e6382a8ed4ee86abb86ff080cb39045dc5cb218b105ba8d67b6:922c64590222798bb761d5b6d8e72950`