From 7d7ab858b2b3b0048f5e07c6f60279c337bf5a17 Mon Sep 17 00:00:00 2001
From: Ryan Borum <37112354+ryanborum@users.noreply.github.com>
Date: Tue, 16 Jul 2024 08:04:14 -0400
Subject: [PATCH] Improved shodan query for CVE-2024-36401.yaml

Returns ~50k accurate results compared to ~900 before. Source: https://www.vicarius.io/vsociety/posts/geoserver-rce-cve-2024-36401
---
 http/cves/2024/CVE-2024-36401.yaml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/http/cves/2024/CVE-2024-36401.yaml b/http/cves/2024/CVE-2024-36401.yaml
index eb40bc63a5..0d68613ef4 100644
--- a/http/cves/2024/CVE-2024-36401.yaml
+++ b/http/cves/2024/CVE-2024-36401.yaml
@@ -2,7 +2,9 @@ id: CVE-2024-36401
 
 info:
   name: GeoServer RCE in Evaluating Property Name Expressions
-  author: DhiyaneshDk
+  author: 
+   - DhiyaneshDk
+   - GarysMortalEnemy
   severity: critical
   description: |
     In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
@@ -18,7 +20,7 @@ info:
     max-request: 1
     vendor: osgeo
     product: geoserver
-    shodan-query: http.title:"geoserver"
+    shodan-query: Server: GeoHttpServer
     fofa-query:
       - title="geoserver"
       - app="geoserver"
@@ -65,4 +67,4 @@ http:
         part: content_type
         words:
           - "application/xml"
-# digest: 4a0a004730450220735fae2d600334ad0b407f6e2a0905a071226561197d52236f48b8065ee38fa4022100c16a9085e40790dda9b6217e62a1d5fc3d0d68d7443cf10582b55cece0c2e632:922c64590222798bb761d5b6d8e72950
\ No newline at end of file
+# digest: 4a0a004730450220735fae2d600334ad0b407f6e2a0905a071226561197d52236f48b8065ee38fa4022100c16a9085e40790dda9b6217e62a1d5fc3d0d68d7443cf10582b55cece0c2e632:922c64590222798bb761d5b6d8e72950