News rules: CVE-2023-47218 and git-config (#1078)

* add rules to collec --------- Co-authored-by: GitHub Action <[email protected]>
crowdsecurity · Jul 18, 2024 · 82f9c46 · 82f9c46
1 parent 7b7452e
commit 82f9c46
Show file tree

Hide file tree

Showing 9 changed files with 227 additions and 3 deletions.
diff --git a/.appsec-tests/vpatch-CVE-2023-47218/config.yaml b/.appsec-tests/vpatch-CVE-2023-47218/config.yaml
@@ -0,0 +1,5 @@
+
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-CVE-2023-47218.yaml
+nuclei_template: test-CVE-2023-47218.yaml
diff --git a/.appsec-tests/vpatch-CVE-2023-47218/test-CVE-2023-47218.yaml b/.appsec-tests/vpatch-CVE-2023-47218/test-CVE-2023-47218.yaml
@@ -0,0 +1,28 @@
+id: test-CVE-2023-47218
+info:
+  name: test-CVE-2023-47218
+  author: crowdsec
+  severity: info
+  description: test-CVE-2023-47218 testing
+  tags: appsec-testing
+variables:
+  file: "{{rand_base(6)}}"
+  cmd: "%22$($(echo -n aWQ=|base64 -d)>{{file}})%22"
+http:
+  - raw:
+      - |
+        POST /cgi-bin/quick/quick.cgi?func=switch_os&todo=uploaf_firmware_image HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data;boundary="avssqwfz"
+
+        --avssqwfz
+        Content-Disposition: form-data; xxpcscma="field2"; zczqildp="{{cmd}}"
+        Content-Type: text/plain
+
+        skfqduny
+        --avssqwfz-
+
+    matchers:
+      - type: status
+        status:
+          - 403
diff --git a/.appsec-tests/vpatch-git-config/config.yaml b/.appsec-tests/vpatch-git-config/config.yaml
@@ -0,0 +1,5 @@
+
+appsec-rules:
+- ./appsec-rules/crowdsecurity/base-config.yaml
+- ./appsec-rules/crowdsecurity/vpatch-git-config.yaml
+nuclei_template: test-vpatch-git-config.yaml
diff --git a/.appsec-tests/vpatch-git-config/test-vpatch-git-config.yaml b/.appsec-tests/vpatch-git-config/test-vpatch-git-config.yaml
@@ -0,0 +1,17 @@
+id: test-vpatch-git-config
+info:
+  name: test-vpatch-git-config
+  author: crowdsec
+  severity: info
+  description: test-vpatch-git-config testing
+  tags: appsec-testing
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/toto/.git/config"
+
+    cookie-reuse: true
+    matchers:
+      - type: status
+        status:
+          - 403
diff --git a/.index.json b/.index.json
@@ -1425,6 +1425,34 @@
     "type": "exploit"
    }
   },
+  "crowdsecurity/vpatch-CVE-2023-47218": {
+   "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-47218.yaml",
+   "version": "0.1",
+   "versions": {
+    "0.1": {
+     "digest": "8f0e7ba65f3701e9ea6804ddf23cbd5bc89fe63724424a0cc3d086244465d786",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKZGVidWc6IHRydWUKZGVzY3JpcHRpb246ICJRTkFQIFFUUyAtIFJDRSAoQ1ZFLTIwMjMtNDcyMTgpIgpydWxlczoKICAtIGFuZDoKICAgICAgLSB6b25lczoKICAgICAgICAgIC0gTUVUSE9ECiAgICAgICAgbWF0Y2g6CiAgICAgICAgICB0eXBlOiBlcXVhbHMKICAgICAgICAgIHZhbHVlOiBQT1NUCiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIFVSSQogICAgICAgIHRyYW5zZm9ybToKICAgICAgICAgIC0gbG93ZXJjYXNlCiAgICAgICAgbWF0Y2g6CiAgICAgICAgICB0eXBlOiBlbmRzV2l0aAogICAgICAgICAgdmFsdWU6IC9jZ2ktYmluL3F1aWNrL3F1aWNrLmNnaQogICAgICAtIHpvbmVzOgogICAgICAgICAgLSBBUkdTCiAgICAgICAgdmFyaWFibGVzOgogICAgICAgICAgLSBmdW5jCiAgICAgICAgdHJhbnNmb3JtOgogICAgICAgICAgLSBsb3dlcmNhc2UKICAgICAgICBtYXRjaDoKICAgICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgICAgdmFsdWU6ICJzd2l0Y2hfb3MiCiAgICAgIC0gem9uZXM6CiAgICAgICAgICAtIEFSR1MKICAgICAgICB2YXJpYWJsZXM6CiAgICAgICAgICAtIHRvZG8KICAgICAgICB0cmFuc2Zvcm06CiAgICAgICAgICAtIGxvd2VyY2FzZQogICAgICAgIG1hdGNoOgogICAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgICB2YWx1ZTogInVwbG9hZl9maXJtd2FyZV9pbWFnZSIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiUU5BUCBRVFMgLSBSQ0UiCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGN2ZS5DVkUtMjAyMy00NzIxOAogICAgLSBhdHRhY2suVDE1OTUKICAgIC0gYXR0YWNrLlQxMTkwCiAgICAtIGN3ZS5DV0UtNzgKICAgIC0gY3dlLkNXRS03Nwo=",
+   "description": "QNAP QTS - RCE (CVE-2023-47218)",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:exploit",
+    "classification": [
+     "cve.CVE-2023-47218",
+     "attack.T1595",
+     "attack.T1190",
+     "cwe.CWE-78",
+     "cwe.CWE-77"
+    ],
+    "confidence": 3,
+    "label": "QNAP QTS - RCE",
+    "service": "http",
+    "spoofable": 0,
+    "type": "exploit"
+   }
+  },
   "crowdsecurity/vpatch-CVE-2023-49070": {
    "path": "appsec-rules/crowdsecurity/vpatch-CVE-2023-49070.yaml",
    "version": "0.1",
@@ -1997,6 +2025,34 @@
     "type": "scan"
    }
   },
+  "crowdsecurity/vpatch-git-config": {
+   "path": "appsec-rules/crowdsecurity/vpatch-git-config.yaml",
+   "version": "0.2",
+   "versions": {
+    "0.1": {
+     "digest": "cf59d1a407e0352662db0c66681d256c0e363560d93109f03ecdee994b04a542",
+     "deprecated": false
+    },
+    "0.2": {
+     "digest": "c1f8230f65f1cb5d1afe8e6ef164ce750ac8056db655d2096ca5dfeffdaa421c",
+     "deprecated": false
+    }
+   },
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtZ2l0LWNvbmZpZwpkZXNjcmlwdGlvbjogIkRldGVjdCBhY2Nlc3MgdG8gLmdpdCBmaWxlcyIKcnVsZXM6CiAgLSB6b25lczoKICAgICAgLSBVUkkKICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgIG1hdGNoOgogICAgICB0eXBlOiBjb250YWlucwogICAgICB2YWx1ZTogLy5naXQvY29uZmlnCmxhYmVsczoKICB0eXBlOiBzY2FuCiAgc2VydmljZTogaHR0cAogIGNvbmZpZGVuY2U6IDMKICBzcG9vZmFibGU6IDAKICBiZWhhdmlvcjogImh0dHA6c2NhbiIKICBsYWJlbDogIkFjY2VzcyB0byAuZ2l0IGZpbGUiCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTU5NQo=",
+   "description": "Detect access to .git files",
+   "author": "crowdsecurity",
+   "labels": {
+    "behavior": "http:scan",
+    "classification": [
+     "attack.T1595"
+    ],
+    "confidence": 3,
+    "label": "Access to .git file",
+    "service": "http",
+    "spoofable": 0,
+    "type": "scan"
+   }
+  },
   "crowdsecurity/vpatch-laravel-debug-mode": {
    "path": "appsec-rules/crowdsecurity/vpatch-laravel-debug-mode.yaml",
    "version": "0.3",
@@ -2771,7 +2827,7 @@
   },
   "crowdsecurity/appsec-virtual-patching": {
    "path": "collections/crowdsecurity/appsec-virtual-patching.yaml",
-   "version": "2.8",
+   "version": "2.9",
    "versions": {
     "0.1": {
      "digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc",
@@ -2884,10 +2940,14 @@
     "2.8": {
      "digest": "2201db5d448c155438beb55a34dd87ce649968118ba1c1960db085aa26e18f24",
      "deprecated": false
+    },
+    "2.9": {
+     "digest": "73305f1c435480e871a94ec59f09e71e93c41b2ae0e8af4faad789e314400436",
+     "deprecated": false
     }
    },
    "long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==",
-   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1lbnYtYWNjZXNzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi0zNTkxNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMjUxNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTE5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00Mjc5MwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM4MjA1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yNDQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEyOTg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMTA1NjIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTY1NTMKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEwMDMwMzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTY1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDkwNzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWxhcmF2ZWwtZGVidWctbW9kZQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIwLTE3NDk2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0xMzg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00NjgwNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjM4OTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA3OAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwODIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0xMjEyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1zeW1mb255LXByb2ZpbGVyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjIwMjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC00NTc3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTg0OQphcHBzZWMtY29uZmlnczoKICAtIGNyb3dkc2VjdXJpdHkvdmlydHVhbC1wYXRjaGluZwogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdApwYXJzZXJzOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtbG9ncwpzY2VuYXJpb3M6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy12cGF0Y2gKY29udGV4dHM6CiAgLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiAiYSBnZW5lcmljIHZpcnR1YWwgcGF0Y2hpbmcgY29sbGVjdGlvbiwgc3VpdGFibGUgZm9yIG1vc3Qgd2ViIHNlcnZlcnMuIgphdXRob3I6IGNyb3dkc2VjdXJpdHkK",
+   "content": "bmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwphcHBzZWMtcnVsZXM6CiAgLSBjcm93ZHNlY3VyaXR5L2Jhc2UtY29uZmlnCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1lbnYtYWNjZXNzCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTctOTg0MQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtMTE3MzgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi0zNTkxNAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDYxNjkKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMjUxNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzM2MTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTE5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00Mjc5MwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM4MjA1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yNDQ4OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMjI5NDEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEyOTg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMTA1NjIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTY1NTMKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE5LTEwMDMwMzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTY1CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDkwNzAKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWxhcmF2ZWwtZGVidWctbW9kZQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIwLTE3NDk2CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0xMzg5CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00NjgwNQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjM4OTcKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA3OAogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwODIKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0xMjEyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1zeW1mb255LXByb2ZpbGVyCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjIwMjQKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MTk4CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC00NTc3CiAgLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTg0OQogIC0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKICAtIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWdpdC1jb25maWcKYXBwc2VjLWNvbmZpZ3M6CiAgLSBjcm93ZHNlY3VyaXR5L3ZpcnR1YWwtcGF0Y2hpbmcKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWRlZmF1bHQKcGFyc2VyczoKICAtIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtdnBhdGNoCmNvbnRleHRzOgogIC0gY3Jvd2RzZWN1cml0eS9hcHBzZWNfYmFzZQpkZXNjcmlwdGlvbjogImEgZ2VuZXJpYyB2aXJ0dWFsIHBhdGNoaW5nIGNvbGxlY3Rpb24sIHN1aXRhYmxlIGZvciBtb3N0IHdlYiBzZXJ2ZXJzLiIKYXV0aG9yOiBjcm93ZHNlY3VyaXR5Cg==",
    "description": "a generic virtual patching collection, suitable for most web servers.",
    "author": "crowdsecurity",
    "labels": null,
@@ -2944,7 +3004,9 @@
     "crowdsecurity/vpatch-CVE-2024-27198",
     "crowdsecurity/vpatch-CVE-2024-3273",
     "crowdsecurity/vpatch-CVE-2024-4577",
-    "crowdsecurity/vpatch-CVE-2024-29849"
+    "crowdsecurity/vpatch-CVE-2024-29849",
+    "crowdsecurity/vpatch-CVE-2023-47218",
+    "crowdsecurity/vpatch-git-config"
    ],
    "appsec-configs": [
     "crowdsecurity/virtual-patching",

diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-47218.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-47218.yaml
@@ -0,0 +1,48 @@
+name: crowdsecurity/vpatch-CVE-2023-47218
+debug: true
+description: "QNAP QTS - RCE (CVE-2023-47218)"
+rules:
+  - and:
+      - zones:
+          - METHOD
+        match:
+          type: equals
+          value: POST
+      - zones:
+          - URI
+        transform:
+          - lowercase
+        match:
+          type: endsWith
+          value: /cgi-bin/quick/quick.cgi
+      - zones:
+          - ARGS
+        variables:
+          - func
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: "switch_os"
+      - zones:
+          - ARGS
+        variables:
+          - todo
+        transform:
+          - lowercase
+        match:
+          type: equals
+          value: "uploaf_firmware_image"
+labels:
+  type: exploit
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:exploit"
+  label: "QNAP QTS - RCE"
+  classification:
+    - cve.CVE-2023-47218
+    - attack.T1595
+    - attack.T1190
+    - cwe.CWE-78
+    - cwe.CWE-77
diff --git a/appsec-rules/crowdsecurity/vpatch-git-config.yaml b/appsec-rules/crowdsecurity/vpatch-git-config.yaml
@@ -0,0 +1,19 @@
+name: crowdsecurity/vpatch-git-config
+description: "Detect access to .git files"
+rules:
+  - zones:
+      - URI
+    transform:
+      - lowercase
+    match:
+      type: contains
+      value: /.git/config
+labels:
+  type: scan
+  service: http
+  confidence: 3
+  spoofable: 0
+  behavior: "http:scan"
+  label: "Access to .git file"
+  classification:
+    - attack.T1595
diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml
@@ -47,6 +47,8 @@ appsec-rules:
   - crowdsecurity/vpatch-CVE-2024-3273
   - crowdsecurity/vpatch-CVE-2024-4577
   - crowdsecurity/vpatch-CVE-2024-29849
+  - crowdsecurity/vpatch-CVE-2023-47218
+  - crowdsecurity/vpatch-git-config
 appsec-configs:
   - crowdsecurity/virtual-patching
   - crowdsecurity/appsec-default

diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json
@@ -822,6 +822,29 @@
       "CWE-77"
     ]
   },
+  "crowdsecurity/vpatch-CVE-2023-47218": {
+    "name": "crowdsecurity/vpatch-CVE-2023-47218",
+    "description": "QNAP QTS - RCE (CVE-2023-47218)",
+    "label": "QNAP QTS - RCE",
+    "behaviors": [
+      "http:exploit"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595",
+      "TA0001:T1190"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http",
+    "cves": [
+      "CVE-2023-47218"
+    ],
+    "cwes": [
+      "CWE-78",
+      "CWE-77"
+    ]
+  },
   "crowdsecurity/vpatch-CVE-2023-49070": {
     "name": "crowdsecurity/vpatch-CVE-2023-49070",
     "description": "Apache OFBiz - RCE (CVE-2023-49070)",
@@ -1200,6 +1223,21 @@
     "cti": true,
     "service": "http"
   },
+  "crowdsecurity/vpatch-git-config": {
+    "name": "crowdsecurity/vpatch-git-config",
+    "description": "Detect access to .git files",
+    "label": "Access to .git file",
+    "behaviors": [
+      "http:scan"
+    ],
+    "mitre_attacks": [
+      "TA0043:T1595"
+    ],
+    "confidence": 3,
+    "spoofable": 0,
+    "cti": true,
+    "service": "http"
+  },
   "crowdsecurity/vpatch-laravel-debug-mode": {
     "name": "crowdsecurity/vpatch-laravel-debug-mode",
     "description": "Detect bots exploiting laravel debug mode",