Skip to content

Commit

Permalink
CVE-2024-3272 (#1080)
Browse files Browse the repository at this point in the history 
* CVE-2024-3272

* CVE-2024-32113

* fix CVE and title


---------

Co-authored-by: GitHub Action <[email protected]>
  • Loading branch information
@buixor @actions-user
buixor and actions-user authored Jul 19, 2024
1 parent d91f10b commit 12b3713
Show file tree
Hide file tree
Showing 10 changed files with 263 additions and 11 deletions.
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-32113/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-32113.yaml
nuclei_template: test-CVE-2024-32113.yaml
28 changes: 28 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-32113/test-CVE-2024-32113.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
id: test-CVE-2024-32113
info:
name: test-CVE-2024-32113
author: crowdsec
severity: info
description: test-CVE-2024-32113 testing
tags: appsec-testing
http:
- raw:
- |
POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
groovyProgram=throw+new+Exception('id'.execute().text);
- |
POST /webtools/control/forgotPassword;/ProgramExport HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
groovyProgram=\u0074\u0068\u0072\u006f\u0077\u0020\u006e\u0065\u0077\u0020\u0045\u0078\u0063\u0065\u0070\u0074\u0069\u006f\u006e\u0028\u0027\u0069\u0064\u0027\u002e\u0065\u0078\u0065\u0063\u0075\u0074\u0065\u0028\u0029\u002e\u0074\u0065\u0078\u0074\u0029\u003b
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"
- "status_code_2 == 403"
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-3272/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-3272.yaml
nuclei_template: test-CVE-2024-3272.yaml
22 changes: 22 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-3272/test-CVE-2024-3272.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
id: test-CVE-2024-3272
info:
name: test-CVE-2024-3272
author: crowdsec
severity: info
description: test-CVE-2024-3272 testing
tags: appsec-testing
http:
- raw:
- |
GET /cgi-bin/nas_sharing.cgi?user=&passwd=&cmd=15&system=aWQ= HTTP/1.1
Host: {{Hostname}}
- |
GET /cgi-bin/nas_sharing.cgi?user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&cmd=15&system=aWQ= HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"
- "status_code_2 == 403"
90 changes: 83 additions & 7 deletions .index.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1835,7 +1835,7 @@
},
"crowdsecurity/vpatch-CVE-2024-27198": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-27198.yaml",
"version": "0.4",
"version": "0.5",
"versions": {
"0.1": {
"digest": "1bd4f1a3645fc3a5ed7311cd2fdc535417963f0e8f9872a0fcdad2c6fe92b260",
Expand All @@ -1852,21 +1852,25 @@
"0.4": {
"digest": "b8b51dea722e3c2e4d3a8349718e4642fc4746c02bb152a12e7aca185daf114e",
"deprecated": false
},
"0.5": {
"digest": "8b267345d9dedb9c76a884801651d4190eecd4df8fbd7b30f3bc38513d00ad5c",
"deprecated": false
}
},
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKZGVzY3JpcHRpb246ICJUZWFtY2l0eSAtIEF1dGhlbnRpY2F0aW9uIEJ5cGFzcyAoQ1ZFLTIwMjQtMjcxOTgpIgpydWxlczoKICAtIGFuZDoKICAgICAgLSB6b25lczoKICAgICAgICAgIC0gVVJJX0ZVTEwKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICAgIHZhbHVlOiAiOy5qc3AiCiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIFVSSV9GVUxMCiAgICAgICAgdHJhbnNmb3JtOgogICAgICAgICAgLSBsb3dlcmNhc2UKICAgICAgICBtYXRjaDoKICAgICAgICAgIHR5cGU6IGNvbnRhaW5zCiAgICAgICAgICB2YWx1ZTogIi9hcHAvcmVzdC8iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIlBIUFVuaXQgUkNFIgogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBjdmUuQ1ZFLTIwMTctOTg0MQogICAgLSBhdHRhY2suVDE1OTUKICAgIC0gYXR0YWNrLlQxMTkwCiAgICAtIGN3ZS5DV0UtOTQK",
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKZGVzY3JpcHRpb246ICJUZWFtY2l0eSAtIEF1dGhlbnRpY2F0aW9uIEJ5cGFzcyAoQ1ZFLTIwMjQtMjcxOTgpIgpydWxlczoKICAtIGFuZDoKICAgICAgLSB6b25lczoKICAgICAgICAgIC0gVVJJX0ZVTEwKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICAgIHZhbHVlOiAiOy5qc3AiCiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIFVSSV9GVUxMCiAgICAgICAgdHJhbnNmb3JtOgogICAgICAgICAgLSBsb3dlcmNhc2UKICAgICAgICBtYXRjaDoKICAgICAgICAgIHR5cGU6IGNvbnRhaW5zCiAgICAgICAgICB2YWx1ZTogIi9hcHAvcmVzdC8iCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIlRlYW1jaXR5IC0gQXV0aGVudGljYXRpb24gQnlwYXNzIgogIGNsYXNzaWZpY2F0aW9uOgogICAgLSBjdmUuQ1ZFLTIwMjQtMjcxOTgKICAgIC0gYXR0YWNrLlQxNTk1CiAgICAtIGF0dGFjay5UMTE5MAogICAgLSBjd2UuQ1dFLTk0Cg==",
"description": "Teamcity - Authentication Bypass (CVE-2024-27198)",
"author": "crowdsecurity",
"labels": {
"behavior": "http:exploit",
"classification": [
"cve.CVE-2017-9841",
"cve.CVE-2024-27198",
"attack.T1595",
"attack.T1190",
"cwe.CWE-94"
],
"confidence": 3,
"label": "PHPUnit RCE",
"label": "Teamcity - Authentication Bypass",
"service": "http",
"spoofable": 0,
"type": "exploit"
Expand Down Expand Up @@ -1914,6 +1918,60 @@
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-32113": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-32113.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "20d3a940db05d005ee4c49d1f79f5f62b84e54e244938aff08272297db673106",
"deprecated": false
}
},
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKZGVzY3JpcHRpb246ICJBcGFjaGUgT0ZCaXogLSBQYXRoIFRyYXZlcnNhbCAoQ1ZFLTIwMjQtMzIxMTMpIgpydWxlczoKICAtIGFuZDoKICAgICAgLSB6b25lczoKICAgICAgICAgIC0gTUVUSE9ECiAgICAgICAgbWF0Y2g6CiAgICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICAgIHZhbHVlOiBQT1NUCiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIFVSSQogICAgICAgIHRyYW5zZm9ybToKICAgICAgICAgIC0gbG93ZXJjYXNlCiAgICAgICAgbWF0Y2g6CiAgICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICAgIHZhbHVlOiAvd2VidG9vbHMvY29udHJvbC9mb3Jnb3RwYXNzd29yZDsvcHJvZ3JhbWV4cG9ydApsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHNlcnZpY2U6IGh0dHAKICBjb25maWRlbmNlOiAzCiAgc3Bvb2ZhYmxlOiAwCiAgYmVoYXZpb3I6ICJodHRwOmV4cGxvaXQiCiAgbGFiZWw6ICJBcGFjaGUgT0ZCaXogLSBQYXRoIFRyYXZlcnNhbCIKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gY3ZlLkNWRS0yMDI0LTMyMTEzCiAgICAtIGF0dGFjay5UMTU5NQogICAgLSBhdHRhY2suVDExOTAKICAgIC0gY3dlLkNXRS0yMgo=",
"description": "Apache OFBiz - Path Traversal (CVE-2024-32113)",
"author": "crowdsecurity",
"labels": {
"behavior": "http:exploit",
"classification": [
"cve.CVE-2024-32113",
"attack.T1595",
"attack.T1190",
"cwe.CWE-22"
],
"confidence": 3,
"label": "Apache OFBiz - Path Traversal",
"service": "http",
"spoofable": 0,
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-3272": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-3272.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "ed43876261d4b14056a73ff1ab5aacb1d2b2cb4e070aa312775f38f98108fbcb",
"deprecated": false
}
},
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzI3MgpkZXNjcmlwdGlvbjogIiBELUxpbmsgTkFTIC0gUkNFIChDVkUtMjAyNC0zMjcyKSIgI1VQREFURSBUSElTCnJ1bGVzOgogIC0gYW5kOgogICAgICAtIHpvbmVzOgogICAgICAgICAgLSBNRVRIT0QKICAgICAgICBtYXRjaDoKICAgICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgICAgdmFsdWU6IEdFVAogICAgICAtIHpvbmVzOgogICAgICAgICAgLSBVUkkKICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICAgIHZhbHVlOiAvY2dpLWJpbi9uYXNfc2hhcmluZy5jZ2kKICAgICAgLSB6b25lczoKICAgICAgICAgIC0gQVJHUwogICAgICAgIHZhcmlhYmxlczoKICAgICAgICAgIC0gY21kCiAgICAgICAgdHJhbnNmb3JtOgogICAgICAgICAgLSBsb3dlcmNhc2UKICAgICAgICBtYXRjaDoKICAgICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgICAgdmFsdWU6ICIxNSIKICAgICAgLSB6b25lczoKICAgICAgICAgIC0gQVJHU19OQU1FUwogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgICB2YWx1ZTogc3lzdGVtCmxhYmVsczoKICB0eXBlOiBleHBsb2l0CiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6ZXhwbG9pdCIKICBsYWJlbDogIiBELUxpbmsgTkFTIC0gUkNFIiAjVVBEQVRFIFRISVMKICBjbGFzc2lmaWNhdGlvbjoKICAgIC0gY3ZlLkNWRS0yMDI0LTMyNzIKICAgIC0gYXR0YWNrLlQxNTk1CiAgICAtIGF0dGFjay5UMTE5MAogICAgLSBjd2UuQ1dFLTI4Nwo=",
"description": " D-Link NAS - RCE (CVE-2024-3272)",
"author": "crowdsecurity",
"labels": {
"behavior": "http:exploit",
"classification": [
"cve.CVE-2024-3272",
"attack.T1595",
"attack.T1190",
"cwe.CWE-287"
],
"confidence": 3,
"label": " D-Link NAS - RCE",
"service": "http",
"spoofable": 0,
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-3273": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-3273.yaml",
"version": "0.1",
Expand Down Expand Up @@ -2831,7 +2889,7 @@
},
"crowdsecurity/appsec-virtual-patching": {
"path": "collections/crowdsecurity/appsec-virtual-patching.yaml",
"version": "2.9",
"version": "3.3",
"versions": {
"0.1": {
"digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc",
Expand Down Expand Up @@ -2948,10 +3006,26 @@
"2.9": {
"digest": "73305f1c435480e871a94ec59f09e71e93c41b2ae0e8af4faad789e314400436",
"deprecated": false
},
"3.0": {
"digest": "ac6307b79c4bb31ad396a1a8f4f080edc339f97c2fba54805c7ffb07d1ef6983",
"deprecated": false
},
"3.1": {
"digest": "a8699f10f6e47357969aa07e6e77607dfac7246fa231f59e0a9a363ba3fdfc3b",
"deprecated": false
},
"3.2": {
"digest": "73305f1c435480e871a94ec59f09e71e93c41b2ae0e8af4faad789e314400436",
"deprecated": false
},
"3.3": {
"digest": "7cd4bdca37098a2a398262c253dfa2d2925168b1820cc58ea62ea953a1517722",
"deprecated": false
}
},
"long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==",
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1lbnYtYWNjZXNzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi0zNTkxNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMjUxNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTE5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00Mjc5MwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM4MjA1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yNDQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEyOTg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMTA1NjIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTY1NTMKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEwMDMwMzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTY1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDkwNzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWxhcmF2ZWwtZGVidWctbW9kZQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIwLTE3NDk2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0xMzg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00NjgwNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjM4OTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA3OAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwODIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0xMjEyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1zeW1mb255LXByb2ZpbGVyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjIwMjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC00NTc3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTg0OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWdpdC1jb25maWcKYXBwc2VjLWNvbmZpZ3M6CiAgLSBjcm93ZHNlY3VyaXR5L3ZpcnR1YWwtcGF0Y2hpbmcKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWRlZmF1bHQKcGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtdnBhdGNoCmNvbnRleHRzOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWNfYmFzZQpkZXNjcmlwdGlvbjogImEgZ2VuZXJpYyB2aXJ0dWFsIHBhdGNoaW5nIGNvbGxlY3Rpb24sIHN1aXRhYmxlIGZvciBtb3N0IHdlYiBzZXJ2ZXJzLiIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5Cg==",
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1lbnYtYWNjZXNzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi0zNTkxNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMjUxNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTE5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00Mjc5MwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM4MjA1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yNDQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEyOTg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMTA1NjIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTY1NTMKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEwMDMwMzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTY1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDkwNzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWxhcmF2ZWwtZGVidWctbW9kZQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIwLTE3NDk2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0xMzg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00NjgwNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjM4OTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA3OAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwODIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0xMjEyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1zeW1mb255LXByb2ZpbGVyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjIwMjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC00NTc3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTg0OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWdpdC1jb25maWcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTMyMTEzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCmFwcHNlYy1jb25maWdzOgogIC0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1kZWZhdWx0CnBhcnNlcnM6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1sb2dzCnNjZW5hcmlvczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaApjb250ZXh0czoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjX2Jhc2UKZGVzY3JpcHRpb246ICJhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4iCmF1dGhvcjogY3Jvd2RzZWN1cml0eQo=",
"description": "a generic virtual patching collection, suitable for most web servers.",
"author": "crowdsecurity",
"labels": null,
Expand Down Expand Up @@ -3010,7 +3084,9 @@
"crowdsecurity/vpatch-CVE-2024-4577",
"crowdsecurity/vpatch-CVE-2024-29849",
"crowdsecurity/vpatch-CVE-2023-47218",
"crowdsecurity/vpatch-git-config"
"crowdsecurity/vpatch-git-config",
"crowdsecurity/vpatch-CVE-2024-32113",
"crowdsecurity/vpatch-CVE-2024-3272"
],
"appsec-configs": [
"crowdsecurity/virtual-patching",
Expand Down
4 changes: 2 additions & 2 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-27198.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,9 @@ labels:
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: "PHPUnit RCE"
label: "Teamcity - Authentication Bypass"
classification:
- cve.CVE-2017-9841
- cve.CVE-2024-27198
- attack.T1595
- attack.T1190
- cwe.CWE-94
28 changes: 28 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-32113.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: crowdsecurity/vpatch-CVE-2024-32113
description: "Apache OFBiz - Path Traversal (CVE-2024-32113)"
rules:
- and:
- zones:
- METHOD
match:
type: equals
value: POST
- zones:
- URI
transform:
- lowercase
match:
type: equals
value: /webtools/control/forgotpassword;/programexport
labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: "Apache OFBiz - Path Traversal"
classification:
- cve.CVE-2024-32113
- attack.T1595
- attack.T1190
- cwe.CWE-22
42 changes: 42 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-3272.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
name: crowdsecurity/vpatch-CVE-2024-3272
description: " D-Link NAS - RCE (CVE-2024-3272)" #UPDATE THIS
rules:
- and:
- zones:
- METHOD
match:
type: equals
value: GET
- zones:
- URI
transform:
- lowercase
match:
type: endsWith
value: /cgi-bin/nas_sharing.cgi
- zones:
- ARGS
variables:
- cmd
transform:
- lowercase
match:
type: equals
value: "15"
- zones:
- ARGS_NAMES
match:
type: equals
value: system
labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: " D-Link NAS - RCE" #UPDATE THIS
classification:
- cve.CVE-2024-3272
- attack.T1595
- attack.T1190
- cwe.CWE-287
2 changes: 2 additions & 0 deletions collections/crowdsecurity/appsec-virtual-patching.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ appsec-rules:
- crowdsecurity/vpatch-CVE-2024-29849
- crowdsecurity/vpatch-CVE-2023-47218
- crowdsecurity/vpatch-git-config
- crowdsecurity/vpatch-CVE-2024-32113
- crowdsecurity/vpatch-CVE-2024-3272
appsec-configs:
- crowdsecurity/virtual-patching
- crowdsecurity/appsec-default
Expand Down
Loading

0 comments on commit 12b3713

Please sign in to comment.