id: CVE-2023-27587

info:
  name: ReadToMyShoe - Google Cloud API Disclosure
  author: vagnerd
  severity: high
  description: |
    If an error occurs when adding an article, the website shows the user an error message. If the error originates from the Google Cloud TTS request, then it will include the full URL of the request. The request URL contains the Google Cloud API key.
  reference:
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27587
    - https://github.com/rozbb/readtomyshoe/security/advisories/GHSA-23g5-r34j-mr8g
    - https://github.com/sec-fx/CVE-2023-27587-PoC
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
    cvss-score: 7.4
    cve-id: CVE-2023-27587
    cwe-id: CWE-209
  tags: cve,cve2023,debug,readtomyshoe,disclosure

requests:
  - raw:
      - |
        POST /api/add-article-by-text HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: application/json

        {
          "title":"Kernsicherheitstest",
          "body":"Kernsicherheitstest"
        }

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Caused by:"
          - "TTS request failed"
        condition: and

      - type: word
        part: header
        words:
          - "text/plain"

      - type: status
        status:
          - 500

      - type: dsl
        dsl:
          - '!contains((body), ''https://texttospeech.googleapis.com/v1beta1/text:synthesize?key=REDACTED'')'