match on url as well to be safe

crowdsecurity · Mar 25, 2024 · 66a2363 · 66a2363
1 parent 0eaa605
commit 66a2363
Showing 1 changed file with 15 additions and 7 deletions.
diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-1212.yaml
@@ -1,13 +1,21 @@
 name: crowdsecurity/vpatch-CVE-2024-1212
 description: "Progress Kemp LoadMaster Unauthenticated Command Injection (CVE-2024-1212)"
 rules:
-  - zones:
-    - HEADERS
-    variables:
-    - Authorization
-    match:
-      type: contains
-      value: 'Basic Jzt' #b64encode of ';
+  - and:
+    - zones:
+      - URI
+      transform:
+      - lowercase
+      match:
+        type: contains
+        value: /access/set
+    - zones:
+      - HEADERS
+      variables:
+      - Authorization
+      match:
+        type: contains
+        value: 'Basic Jzt' #b64encode of ';
 labels:
   type: exploit
   service: http