From e58aacfb1399db985c6d92663bc81468a089e8a8 Mon Sep 17 00:00:00 2001 From: blotus Date: Fri, 25 Oct 2024 09:33:36 +0200 Subject: [PATCH] Add more appsec vpatch rules (#1134) --- .../vpatch-CVE-2018-20062/config.yaml | 3 + .../vpatch-CVE-2018-20062.yaml | 31 +++++ .../vpatch-CVE-2021-26086/config.yaml | 3 + .../vpatch-CVE-2021-26086.yaml | 43 ++++++ .../vpatch-CVE-2024-28987/config.yaml | 3 + .../vpatch-CVE-2024-28987.yaml | 21 +++ .../vpatch-CVE-2024-38856/config.yaml | 3 + .../vpatch-CVE-2024-38856.yaml | 48 +++++++ .index.json | 129 +++++++++++++++++- .../crowdsecurity/vpatch-CVE-2018-20062.yaml | 43 ++++++ .../crowdsecurity/vpatch-CVE-2021-26086.yaml | 34 +++++ .../crowdsecurity/vpatch-CVE-2024-28987.yaml | 27 ++++ .../crowdsecurity/vpatch-CVE-2024-38856.yaml | 38 ++++++ .../appsec-virtual-patching.yaml | 4 + taxonomy/scenarios.json | 82 +++++++++++ 15 files changed, 509 insertions(+), 3 deletions(-) create mode 100644 .appsec-tests/vpatch-CVE-2018-20062/config.yaml create mode 100755 .appsec-tests/vpatch-CVE-2018-20062/vpatch-CVE-2018-20062.yaml create mode 100644 .appsec-tests/vpatch-CVE-2021-26086/config.yaml create mode 100755 .appsec-tests/vpatch-CVE-2021-26086/vpatch-CVE-2021-26086.yaml create mode 100644 .appsec-tests/vpatch-CVE-2024-28987/config.yaml create mode 100755 .appsec-tests/vpatch-CVE-2024-28987/vpatch-CVE-2024-28987.yaml create mode 100644 .appsec-tests/vpatch-CVE-2024-38856/config.yaml create mode 100755 .appsec-tests/vpatch-CVE-2024-38856/vpatch-CVE-2024-38856.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2018-20062.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2021-26086.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-28987.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-38856.yaml diff --git a/.appsec-tests/vpatch-CVE-2018-20062/config.yaml b/.appsec-tests/vpatch-CVE-2018-20062/config.yaml new file mode 100644 index 00000000000..3a7c647ea9d --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2018-20062/config.yaml @@ -0,0 +1,3 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/vpatch-CVE-2018-20062.yaml +nuclei_template: vpatch-CVE-2018-20062.yaml diff --git a/.appsec-tests/vpatch-CVE-2018-20062/vpatch-CVE-2018-20062.yaml b/.appsec-tests/vpatch-CVE-2018-20062/vpatch-CVE-2018-20062.yaml new file mode 100755 index 00000000000..02e7ef1a364 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2018-20062/vpatch-CVE-2018-20062.yaml @@ -0,0 +1,31 @@ +id: vpatch-CVE-2018-20062 +info: + name: vpatch-CVE-2018-20062 + author: crowdsec + severity: info + description: vpatch-CVE-2018-20062 testing + tags: appsec-testing +http: +#this is a dummy request, edit the request(s) to match your needs + - raw: + - | + GET /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();' HTTP/1.1 + Host: {{Hostname}} + - | + GET /public/index.php?s=foo' HTTP/1.1 + Host: {{Hostname}} + - | + GET /public/index.php?s=' HTTP/1.1 + Host: {{Hostname}} + + + cookie-reuse: true +#test will fail because we won't match http status + matchers: + - type: dsl + condition: and + dsl: + - "status_code_1 == 403" + - "status_code_2 == 404" + - "status_code_3 == 404" + diff --git a/.appsec-tests/vpatch-CVE-2021-26086/config.yaml b/.appsec-tests/vpatch-CVE-2021-26086/config.yaml new file mode 100644 index 00000000000..92c6daeeeb8 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2021-26086/config.yaml @@ -0,0 +1,3 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/vpatch-CVE-2021-26086.yaml +nuclei_template: vpatch-CVE-2021-26086.yaml diff --git a/.appsec-tests/vpatch-CVE-2021-26086/vpatch-CVE-2021-26086.yaml b/.appsec-tests/vpatch-CVE-2021-26086/vpatch-CVE-2021-26086.yaml new file mode 100755 index 00000000000..89032feb8d5 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2021-26086/vpatch-CVE-2021-26086.yaml @@ -0,0 +1,43 @@ +id: vpatch-CVE-2021-26086 +info: + name: vpatch-CVE-2021-26086 + author: crowdsec + severity: info + description: vpatch-CVE-2021-26086 testing + tags: appsec-testing +http: + - raw: + - | + GET /s/{{randstr}}/_/%3b/WEB-INF/web.xml HTTP/1.1 + Host: {{Hostname}} + - | + GET /s/{{randstr}}/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1 + Host: {{Hostname}} + - | + GET /s/{{randstr}}/_/%3b/WEB-INF/decorators.xml HTTP/1.1 + Host: {{Hostname}} + - | + GET /s/{{randstr}}/_/%3b/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1 + Host: {{Hostname}} + - | + GET /s/{{randstr}}/_/%3b/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1 + Host: {{Hostname}} + - | + GET /s/{{randstr}}/_/%3b/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1 + Host: {{Hostname}} + - | + GET /s/{{randstr}}/_/%3b/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + condition: and + dsl: + - "status_code_1 == 403" + - "status_code_2 == 403" + - "status_code_3 == 403" + - "status_code_4 == 403" + - "status_code_5 == 403" + - "status_code_6 == 403" + - "status_code_7 == 403" diff --git a/.appsec-tests/vpatch-CVE-2024-28987/config.yaml b/.appsec-tests/vpatch-CVE-2024-28987/config.yaml new file mode 100644 index 00000000000..22d287ea405 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-28987/config.yaml @@ -0,0 +1,3 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-28987.yaml +nuclei_template: vpatch-CVE-2024-28987.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-28987/vpatch-CVE-2024-28987.yaml b/.appsec-tests/vpatch-CVE-2024-28987/vpatch-CVE-2024-28987.yaml new file mode 100755 index 00000000000..81303465e8b --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-28987/vpatch-CVE-2024-28987.yaml @@ -0,0 +1,21 @@ +id: vpatch-CVE-2024-28987 +info: + name: vpatch-CVE-2024-28987 + author: crowdsec + severity: info + description: vpatch-CVE-2024-28987 testing + tags: appsec-testing +http: +#this is a dummy request, edit the request(s) to match your needs + - raw: + - | + GET / HTTP/1.1 + Host: {{Hostname}} + Authorization: aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw== + + cookie-reuse: true +#test will fail because we won't match http status + matchers: + - type: status + status: + - 403 diff --git a/.appsec-tests/vpatch-CVE-2024-38856/config.yaml b/.appsec-tests/vpatch-CVE-2024-38856/config.yaml new file mode 100644 index 00000000000..15b6bca96ae --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-38856/config.yaml @@ -0,0 +1,3 @@ +appsec-rules: + - ./appsec-rules/crowdsecurity/vpatch-CVE-2024-38856.yaml +nuclei_template: vpatch-CVE-2024-38856.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-38856/vpatch-CVE-2024-38856.yaml b/.appsec-tests/vpatch-CVE-2024-38856/vpatch-CVE-2024-38856.yaml new file mode 100755 index 00000000000..4ce4ed1f900 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-38856/vpatch-CVE-2024-38856.yaml @@ -0,0 +1,48 @@ +id: vpatch-CVE-2024-38856 +info: + name: vpatch-CVE-2024-38856 + author: crowdsec + severity: info + description: vpatch-CVE-2024-38856 testing + tags: appsec-testing +http: + - raw: + - | + POST /{{randstr}}/webtools/control/forgotPassword/ProgramExport HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + Host: {{Hostname}} + + groovyProgram=throw+new+Exception('id'.execute().text) + - | + POST /{{randstr}}/webtools/control/main/ProgramExport HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + Host: {{Hostname}} + + groovyProgram=throw+new+Exception('id'.execute().text) + - | + POST /{{randstr}}/webtools/control/view/ProgramExport HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + Host: {{Hostname}} + + groovyProgram=throw+new+Exception('id'.execute().text)# + - | + POST /{{randstr}}/webtools/control/testService/ProgramExport HTTP/1.1 + Content-Type: application/x-www-form-urlencoded + Host: {{Hostname}} + + groovyProgram=throw+new+Exception('id'.execute().text) + - | + GET /{{randstr}}/webtools/control/testService/ProgramExport?groovyProgram=throw+new+Exception('id'.execute().text) HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true +#test will fail because we won't match http status + matchers: + - type: dsl + condition: and + dsl: + - "status_code_1 == 403" + - "status_code_2 == 403" + - "status_code_3 == 403" + - "status_code_4 == 403" + - "status_code_5 == 403" diff --git a/.index.json b/.index.json index f047d853fb6..337bde5bb89 100644 --- a/.index.json +++ b/.index.json @@ -306,6 +306,36 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2018-20062": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2018-20062.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "cc3d014f9fc20bace548415f6e263764440c35e087a259830ff0095464471095", + "deprecated": false + } + }, + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKZGVzY3JpcHRpb246ICJUaGlua1BIUCAtIFJDRSAoQ1ZFLTIwMTgtMjAwNjIpIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogaW5kZXgucGhwCiAgICAtIHpvbmVzOgogICAgICAtIEFSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAtIHMKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgIHZhbHVlOiB0aGluawogICAgLSB6b25lczoKICAgICAgLSBBUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgLSBzCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogcmVnZXgKICAgICAgICB2YWx1ZTogIlteQS1aYS16MC05Xy5dKiIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiVGhpbmtQSFAgLSBSQ0UiCiAgcmVmZXJlbmNlczoKICAgIC0gaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMTgtMjAwNjIKICAgIC0gaHR0cHM6Ly93d3cuZXhwbG9pdC1kYi5jb20vZXhwbG9pdHMvNDU5NzgKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMTgtMjAwNjIKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAK", + "description": "ThinkPHP - RCE (CVE-2018-20062)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2018-20062", + "attack.T1595", + "attack.T1190" + ], + "confidence": 3, + "label": "ThinkPHP - RCE", + "references": [ + "https://nvd.nist.gov/vuln/detail/CVE-2018-20062", + "https://www.exploit-db.com/exploits/45978" + ], + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2019-1003030": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2019-1003030.yaml", "version": "0.1", @@ -534,6 +564,37 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2021-26086": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2021-26086.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "535e08ea92881b250e16cf917c2817c8e32141b8141630b0a871480b01bab8cd", + "deprecated": false + } + }, + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjYwODYKZGVzY3JpcHRpb246ICJBdGxhc3NpYW4gSmlyYSBTZXJ2ZXIvRGF0YSBDZW50ZXIgOC40LjAgLSBMaW1pdGVkIFJlbW90ZSBGaWxlIFJlYWQvSW5jbHVkZSAoQ1ZFLTIwMjEtMjYwODYpIgpydWxlczoKICAtIG9yOgogICAgICAtIHpvbmVzOgogICAgICAgICAgLSBVUkkKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICAgIHZhbHVlOiAvOy93ZWItaW5mLwogICAgICAtIHpvbmVzOgogICAgICAgICAgLSBVUkkKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICAgIHZhbHVlOiAvOy9tZXRhLWluZi8KCmxhYmVsczoKICAgdHlwZTogZXhwbG9pdAogICBzZXJ2aWNlOiBodHRwCiAgIGNvbmZpZGVuY2U6IDMKICAgc3Bvb2ZhYmxlOiAwCiAgIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogICBsYWJlbDogIkF0bGFzc2lhbiBKaXJhIFNlcnZlci9EYXRhIENlbnRlciA4LjQuMCBGaWxlIFJlYWQiCiAgIHJlZmVyZW5jZXM6CiAgICAtIGh0dHBzOi8vZ2l0aHViLmNvbS9Db2xkRnVzaW9uWC9DVkUtMjAyMS0yNjA4NgogICAgLSBodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMS0yNjA4NgogICBjbGFzc2lmaWNhdGlvbjoKICAgICAtIGN2ZS5DVkUtMjAyMS0yNjA4NgogICAgIC0gQ1dFLjIyCiAgICAgLSBhdHRhY2suVDE1OTUKICAgICAtIGF0dGFjay5UMTE5MA==", + "description": "Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2021-26086", + "CWE.22", + "attack.T1595", + "attack.T1190" + ], + "confidence": 3, + "label": "Atlassian Jira Server/Data Center 8.4.0 File Read", + "references": [ + "https://github.com/ColdFusionX/CVE-2021-26086", + "https://nvd.nist.gov/vuln/detail/CVE-2021-26086" + ], + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2021-3129": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2021-3129.yaml", "version": "0.4", @@ -2102,6 +2163,33 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2024-28987": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-28987.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "9f357a599c62a2aaa03a9a16e2ea7e247b94e29c8cfa859869f0f39b52f6d17a", + "deprecated": false + } + }, + "content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI4OTg3CmRlc2NyaXB0aW9uOiAiU29sYXJXaW5kcyBXSEQgSGFyZGNvZGVkIENyZWRlbnRpYWxzIChDVkUtMjAyNC0yODk4NykiCnJ1bGVzOgogIC0gYW5kOgogICAgLSB6b25lczoKICAgICAgLSBIRUFERVJTCiAgICAgIHZhcmlhYmxlczoKICAgICAgLSBBdXRob3JpemF0aW9uCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBiNjRkZWNvZGUKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICB2YWx1ZTogImhlbHBkZXNraW50ZWdyYXRpb251c2VyOmRldi1jNGY4MDI1ZTciCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIlNvbGFyV2luZHMgV0hEIEhhcmRjb2RlZCBDcmVkZW50aWFscyIKICBjbGFzc2lmaWNhdGlvbjoKICAgLSBjdmUuQ1ZFLTIwMjQtMjg5ODcKICAgLSBhdHRhY2suVDE1OTUKICAgLSBhdHRhY2suVDExOTAKICAgLSBjd2UuQ1dFLTc5OA==", + "description": "SolarWinds WHD Hardcoded Credentials (CVE-2024-28987)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2024-28987", + "attack.T1595", + "attack.T1190", + "cwe.CWE-798" + ], + "confidence": 3, + "label": "SolarWinds WHD Hardcoded Credentials", + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2024-29824": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-29824.yaml", "version": "0.1", @@ -2305,6 +2393,33 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2024-38856": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-38856.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "de76534f173e4eb876dde957244121298f3032e074f2832615e9fb5c84a7f067", + "deprecated": false + } + }, + "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzg4NTYKZGVzY3JpcHRpb246ICJBcGFjaGUgT0ZCaXogSW5jb3JyZWN0IEF1dGhvcml6YXRpb24gKENWRS0yMDI0LTM4ODU2KSIKcnVsZXM6CiAgLSBhbmQ6CiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIE1FVEhPRAogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogcmVnZXgKICAgICAgICAgIHZhbHVlOiAoR0VUfFBPU1QpCiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIFVSSQogICAgICAgIHRyYW5zZm9ybToKICAgICAgICAgIC0gbG93ZXJjYXNlCiAgICAgICAgbWF0Y2g6CiAgICAgICAgICB0eXBlOiByZWdleAogICAgICAgICAgdmFsdWU6IC93ZWJ0b29scy9jb250cm9sLyhtYWlufHZpZXd8dGVzdHNlcnZpY2V8c2hvd2RhdGV0aW1lfGZvcmdvdHBhc3N3b3JkKS9wcm9ncmFtZXhwb3J0CiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIEJPRFlfQVJHUwogICAgICAgICAgLSBBUkdTCiAgICAgICAgdmFyaWFibGVzOgogICAgICAgICAgLSBncm9vdnlQcm9ncmFtCiAgICAgICAgdHJhbnNmb3JtOgogICAgICAgICAgLSBjb3VudAogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogZ3RlCiAgICAgICAgICB2YWx1ZTogMQpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJBcGFjaGUgT0ZCaXogSW5jb3JyZWN0IEF1dGhvcml6YXRpb24iCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGN2ZS5DVkUtMjAyNC0zODg1NgogICAgLSBhdHRhY2suVDE1OTUKICAgIC0gYXR0YWNrLlQxMTkwCiAgICAtIGN3ZS5DV0UtODUzCg==", + "description": "Apache OFBiz Incorrect Authorization (CVE-2024-38856)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2024-38856", + "attack.T1595", + "attack.T1190", + "cwe.CWE-853" + ], + "confidence": 3, + "label": "Apache OFBiz Incorrect Authorization", + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2024-4577": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-4577.yaml", "version": "0.1", @@ -3233,7 +3348,7 @@ }, "crowdsecurity/appsec-virtual-patching": { "path": "collections/crowdsecurity/appsec-virtual-patching.yaml", - "version": "4.0", + "version": "4.1", "versions": { "0.1": { "digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc", @@ -3394,10 +3509,14 @@ "4.0": { "digest": "368679c328cc886eb25027046c94d82d141bc701e9fa398275c6ee4d5a6de70e", "deprecated": false + }, + "4.1": { + "digest": "541309db799190b3791bd72fd289cdab50c8ba7d90ae99084918ace0a890050a", + "deprecated": false } }, "long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==", - "content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CmNvbnRleHRzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjX2Jhc2UKZGVzY3JpcHRpb246IGEgZ2VuZXJpYyB2aXJ0dWFsIHBhdGNoaW5nIGNvbGxlY3Rpb24sIHN1aXRhYmxlIGZvciBtb3N0IHdlYiBzZXJ2ZXJzLgpuYW1lOiBjcm93ZHNlY3VyaXR5L2FwcHNlYy12aXJ0dWFsLXBhdGNoaW5nCnBhcnNlcnM6Ci0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtbG9ncwpzY2VuYXJpb3M6Ci0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtdnBhdGNoCg==", + "content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgphdXRob3I6IGNyb3dkc2VjdXJpdHkKY29udGV4dHM6Ci0gY3Jvd2RzZWN1cml0eS9hcHBzZWNfYmFzZQpkZXNjcmlwdGlvbjogYSBnZW5lcmljIHZpcnR1YWwgcGF0Y2hpbmcgY29sbGVjdGlvbiwgc3VpdGFibGUgZm9yIG1vc3Qgd2ViIHNlcnZlcnMuCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZpcnR1YWwtcGF0Y2hpbmcKcGFyc2VyczoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1sb2dzCnNjZW5hcmlvczoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy12cGF0Y2gK", "description": "a generic virtual patching collection, suitable for most web servers.", "author": "crowdsecurity", "labels": null, @@ -3469,7 +3588,11 @@ "crowdsecurity/vpatch-CVE-2024-29973", "crowdsecurity/vpatch-CVE-2022-41082", "crowdsecurity/vpatch-CVE-2019-18935", - "crowdsecurity/vpatch-CVE-2024-8190" + "crowdsecurity/vpatch-CVE-2024-8190", + "crowdsecurity/vpatch-CVE-2024-28987", + "crowdsecurity/vpatch-CVE-2024-38856", + "crowdsecurity/vpatch-CVE-2018-20062", + "crowdsecurity/vpatch-CVE-2021-26086" ], "appsec-configs": [ "crowdsecurity/virtual-patching", diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2018-20062.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2018-20062.yaml new file mode 100644 index 00000000000..1bad4e77cc7 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2018-20062.yaml @@ -0,0 +1,43 @@ +name: crowdsecurity/vpatch-CVE-2018-20062 +description: "ThinkPHP - RCE (CVE-2018-20062)" +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: endsWith + value: index.php + - zones: + - ARGS + variables: + - s + transform: + - lowercase + match: + type: contains + value: think + - zones: + - ARGS + variables: + - s + transform: + - lowercase + match: + type: regex + value: "[^A-Za-z0-9_.]*" +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "ThinkPHP - RCE" + references: + - https://nvd.nist.gov/vuln/detail/CVE-2018-20062 + - https://www.exploit-db.com/exploits/45978 + classification: + - cve.CVE-2018-20062 + - attack.T1595 + - attack.T1190 diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2021-26086.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2021-26086.yaml new file mode 100644 index 00000000000..2646d9cdaba --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2021-26086.yaml @@ -0,0 +1,34 @@ +name: crowdsecurity/vpatch-CVE-2021-26086 +description: "Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086)" +rules: + - or: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /;/web-inf/ + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /;/meta-inf/ + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "Atlassian Jira Server/Data Center 8.4.0 File Read" + references: + - https://github.com/ColdFusionX/CVE-2021-26086 + - https://nvd.nist.gov/vuln/detail/CVE-2021-26086 + classification: + - cve.CVE-2021-26086 + - CWE.22 + - attack.T1595 + - attack.T1190 \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-28987.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-28987.yaml new file mode 100644 index 00000000000..0653c7738d7 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-28987.yaml @@ -0,0 +1,27 @@ + +name: crowdsecurity/vpatch-CVE-2024-28987 +description: "SolarWinds WHD Hardcoded Credentials (CVE-2024-28987)" +rules: + - and: + - zones: + - HEADERS + variables: + - Authorization + transform: + - b64decode + - lowercase + match: + type: contains + value: "helpdeskintegrationuser:dev-c4f8025e7" +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "SolarWinds WHD Hardcoded Credentials" + classification: + - cve.CVE-2024-28987 + - attack.T1595 + - attack.T1190 + - cwe.CWE-798 \ No newline at end of file diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-38856.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-38856.yaml new file mode 100644 index 00000000000..513fe772d7f --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-38856.yaml @@ -0,0 +1,38 @@ +name: crowdsecurity/vpatch-CVE-2024-38856 +description: "Apache OFBiz Incorrect Authorization (CVE-2024-38856)" +rules: + - and: + - zones: + - METHOD + match: + type: regex + value: (GET|POST) + - zones: + - URI + transform: + - lowercase + match: + type: regex + value: /webtools/control/(main|view|testservice|showdatetime|forgotpassword)/programexport + - zones: + - BODY_ARGS + - ARGS + variables: + - groovyProgram + transform: + - count + match: + type: gte + value: 1 +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "Apache OFBiz Incorrect Authorization" + classification: + - cve.CVE-2024-38856 + - attack.T1595 + - attack.T1190 + - cwe.CWE-853 diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 6a913b7b9e0..f9c7276508d 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -64,6 +64,10 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2022-41082 - crowdsecurity/vpatch-CVE-2019-18935 - crowdsecurity/vpatch-CVE-2024-8190 +- crowdsecurity/vpatch-CVE-2024-28987 +- crowdsecurity/vpatch-CVE-2024-38856 +- crowdsecurity/vpatch-CVE-2018-20062 +- crowdsecurity/vpatch-CVE-2021-26086 author: crowdsecurity contexts: - crowdsecurity/appsec_base diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json index b7bb276f4c3..5cb76fc7c0f 100644 --- a/taxonomy/scenarios.json +++ b/taxonomy/scenarios.json @@ -119,6 +119,25 @@ "CWE-22" ] }, + "crowdsecurity/vpatch-CVE-2018-20062": { + "name": "crowdsecurity/vpatch-CVE-2018-20062", + "description": "ThinkPHP - RCE (CVE-2018-20062)", + "label": "ThinkPHP - RCE", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2018-20062" + ] + }, "crowdsecurity/vpatch-CVE-2019-1003030": { "name": "crowdsecurity/vpatch-CVE-2019-1003030", "description": "Jenkins - RCE (CVE-2019-1003030)", @@ -273,6 +292,25 @@ "CWE-284" ] }, + "crowdsecurity/vpatch-CVE-2021-26086": { + "name": "crowdsecurity/vpatch-CVE-2021-26086", + "description": "Atlassian Jira Server/Data Center 8.4.0 - Limited Remote File Read/Include (CVE-2021-26086)", + "label": "Atlassian Jira Server/Data Center 8.4.0 File Read", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2021-26086" + ] + }, "crowdsecurity/vpatch-CVE-2021-3129": { "name": "crowdsecurity/vpatch-CVE-2021-3129", "description": "Laravel with Ignition Debug Mode RCE (CVE-2021-3129)", @@ -1295,6 +1333,28 @@ "CWE-94" ] }, + "crowdsecurity/vpatch-CVE-2024-28987": { + "name": "crowdsecurity/vpatch-CVE-2024-28987", + "description": "SolarWinds WHD Hardcoded Credentials (CVE-2024-28987)", + "label": "SolarWinds WHD Hardcoded Credentials", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2024-28987" + ], + "cwes": [ + "CWE-798" + ] + }, "crowdsecurity/vpatch-CVE-2024-29824": { "name": "crowdsecurity/vpatch-CVE-2024-29824", "description": "Ivanti EPM - SQLi (CVE-2024-29824)", @@ -1443,6 +1503,28 @@ "CWE-611" ] }, + "crowdsecurity/vpatch-CVE-2024-38856": { + "name": "crowdsecurity/vpatch-CVE-2024-38856", + "description": "Apache OFBiz Incorrect Authorization (CVE-2024-38856)", + "label": "Apache OFBiz Incorrect Authorization", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2024-38856" + ], + "cwes": [ + "CWE-853" + ] + }, "crowdsecurity/vpatch-CVE-2024-4577": { "name": "crowdsecurity/vpatch-CVE-2024-4577", "description": "PHP CGI Command Injection - CVE-2024-4577",