From fd14dfe284be9494ab532274085e47052ca86b3c Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Tue, 28 Nov 2023 13:43:10 +0100 Subject: [PATCH] CVE 2023 49103 (#878) * support owncloud cve-2023-49103 --------- Co-authored-by: GitHub Action --- .index.json | 45 +++++++++++++++++++-- .tests/cve-2023-49103/config.yaml | 13 ++++++ .tests/cve-2023-49103/cve-2023-49103.log | 2 + .tests/cve-2023-49103/parser.assert | 0 .tests/cve-2023-49103/scenario.assert | 37 +++++++++++++++++ collections/crowdsecurity/http-cve.md | 1 + collections/crowdsecurity/http-cve.yaml | 1 + scenarios/crowdsecurity/CVE-2023-49103.md | 3 ++ scenarios/crowdsecurity/CVE-2023-49103.yaml | 20 +++++++++ taxonomy/scenarios.json | 19 +++++++++ 10 files changed, 137 insertions(+), 4 deletions(-) create mode 100644 .tests/cve-2023-49103/config.yaml create mode 100644 .tests/cve-2023-49103/cve-2023-49103.log create mode 100644 .tests/cve-2023-49103/parser.assert create mode 100644 .tests/cve-2023-49103/scenario.assert create mode 100644 scenarios/crowdsecurity/CVE-2023-49103.md create mode 100644 scenarios/crowdsecurity/CVE-2023-49103.yaml diff --git a/.index.json b/.index.json index 80b720b5d1d..782db981f1e 100644 --- a/.index.json +++ b/.index.json @@ -1009,7 +1009,7 @@ }, "crowdsecurity/http-cve": { "path": "collections/crowdsecurity/http-cve.yaml", - "version": "2.4", + "version": "2.5", "versions": { "0.1": { "digest": "30748e051a470c1bc91506ae63e8784cd054564f90ccc23eb655823fc30e3019", @@ -1106,10 +1106,14 @@ "2.4": { "digest": "9a1288c042d53f81c16653efae7084bbb83e56cec8a6eade98c702e2febb8d4e", "deprecated": false + }, + "2.5": { + "digest": "c6c395c6d6d694ecfb8957e93bd8895a8c341511d070486cbd768056a323994d", + "deprecated": false } }, - "long_description": "CgpBIGNvbGxlY3Rpb24gdG8gZGV0ZWN0IGV4cGxvaXRhdGlvbiBvZiBzb21lIHNwZWNpZmljIGh0dHAgQ1ZFcy4KCldvcmtzIHdpdGggW2FwYWNoZTJdKGh0dHBzOi8vaHViLmNyb3dkc2VjLm5ldC9hdXRob3IvY3Jvd2RzZWN1cml0eS9jb2xsZWN0aW9ucy9hcGFjaGUyKSwgW25naW54XShodHRwczovL2h1Yi5jcm93ZHNlYy5uZXQvYXV0aG9yL2Nyb3dkc2VjdXJpdHkvY29sbGVjdGlvbnMvbmdpbngpLCBbdHJhZWZpa10oaHR0cHM6Ly9odWIuY3Jvd2RzZWMubmV0L2F1dGhvci9jcm93ZHNlY3VyaXR5L2NvbGxlY3Rpb25zL3RyYWVmaWspIGV0Yy4KCjp3YXJuaW5nOiBXaGlsZSB0aGlzIGNvbGxlY3Rpb24gaXMgZnJlcXVlbnRseSB1cGRhdGVkIHdpdGggdHJlbmRpbmcgQ1ZFcywgaXQgaXMgX25vdF8gYSBXQUYgYW5kIGRvZXMgX25vdF8gYWltcyBhdCByZXBsYWNpbmcgYSBXQUYuIEFzIHN1Y2gsIGFuIGF0dGFja2VyIG1pZ2h0IGJlIGFibGUgdG8gYnlwYXNzIHRob3NlIHNpZ25hdHVyZXMuCgogLSBbQXBhY2hlIENWRS0yMDIxLTQxNzczXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjEtNDE3NzMpCiAtIFtBcGFjaGUgQ1ZFLTIwMjEtNDIwMTNdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS00MjAxMykKIC0gW0dyYWZhbmEgQ1ZFLTIwMjEtNDM3OThdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS00Mzc5OCkKIC0gW0ZvcnRpbmV0IENWRS0yMDE4LTEzMzc5XShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTgtMTMzNzkpCiAtIFtQdWxzZSBTZWN1cmUgQ1ZFLTIwMTktMTE1MTBdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAxOS0xMTUxMCkKIC0gW0Y1IEJJRy1JUCBDVkUtMjAyMC01OTAyXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjAtNTkwMikKIC0gW1RoaW5rUEhQIENWRS0yMDE4LTIwMDYyXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTgtMjAwNjIpCiAtIFtBcGFjaGUgTG9nNGoyIENWRS0yMDIxLTQ0MjI4XShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjEtNDQyMjgpCiAtIFtWTXdhcmUgVk1TQS0yMDIxLTAwMjddKGh0dHBzOi8vd3d3LnZtd2FyZS5jb20vc2VjdXJpdHkvYWR2aXNvcmllcy9WTVNBLTIwMjEtMDAyNy5odG1sKQogLSBbQXRsYXNzaWFuIEppcmEgQ1ZFLTIwMjEtMjYwODZdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS0yNjA4NikKIC0gW1NwcmluZzRTaGVsbCBDVkUtMjAyMi0yMjk2NV0oaHR0cHM6Ly9jdmUubWl0cmUub3JnL2NnaS1iaW4vY3ZlbmFtZS5jZ2k/bmFtZT1DVkUtMjAyMi0yMjk2NSkKIC0gW1ZNd2FyZSBDVkUtMjAyMi0yMjk1NF0oaHR0cHM6Ly93d3cudm13YXJlLmNvbS9zZWN1cml0eS9hZHZpc29yaWVzL1ZNU0EtMjAyMi0wMDExLmh0bWwpCiAtIFtaaW1icmEgQ1ZFLTIwMjItMzcwNDJdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM3MDQyKQogLSBbTWljcm9zb2Z0IEV4Y2hhbmdlIENWRS0yMDIyLTQxMDgyXShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00MTA4MikKIC0gW0dMUEkgQ1ZFLTIwMjItMzU5MTRdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM1OTE0KQogLSBbRm9ydGluZXQgQ1ZFLTIwMjItNDA2ODRdKGh0dHBzOi8vd3d3Lmhvcml6b24zLmFpL2ZvcnRpb3MtZm9ydGlwcm94eS1hbmQtZm9ydGlzd2l0Y2htYW5hZ2VyLWF1dGhlbnRpY2F0aW9uLWJ5cGFzcy10ZWNobmljYWwtZGVlcC1kaXZlLWN2ZS0yMDIyLTQwNjg0LykKIC0gW0NvbmZsdWVuY2UgQ1ZFLTIwMjItMjYxMzRdKGh0dHBzOi8vY3ZlLm1pdHJlLm9yZy9jZ2ktYmluL2N2ZW5hbWUuY2dpP25hbWU9Q1ZFLTIwMjItMjYxMzQpCiAtIFtUZXh0NFNoZWxsIENWRS0yMDIyLTQyODg5XShodHRwczovL2N2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPUNWRS0yMDIyLTQyODg5KQogLSBbR2hvc3QgQ01TIENWRS0yMDIyLTQxNjk3XShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00MTY5NykKIC0gW0NhY3RpIENWRS0yMDIyLTQ2MTY5XShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00NjE2OSkKIC0gW0NlbnRvcyBXZWIgUGFuZWwgNyBDVkUtMjAyMi00NDg3N10oaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMjItNDQ4NzcpCiAtIFtUZWxlcmlrIFVJIENWRS0yMDE5LTE4OTM1XShodHRwczovL2N2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPUNWRS0yMDE5LTE4OTM1KQogLSBbTmV0Z2VhciBER04xMDAwIC8gREdOMjIwMCBSZW1vdGUgQ29tbWFuZCBFeGVjdXRpb25dKGh0dHBzOi8vd3d3LmV4cGxvaXQtZGIuY29tL2V4cGxvaXRzLzI1OTc4KQogLSBbQ29uZmx1ZW5jZSBDVkUtMjAyMy0yMjUxNV0oaHR0cHM6Ly9jb25mbHVlbmNlLmF0bGFzc2lhbi5jb20vc2VjdXJpdHkvY3ZlLTIwMjMtMjI1MTUtcHJpdmlsZWdlLWVzY2FsYXRpb24tdnVsbmVyYWJpbGl0eS1pbi1jb25mbHVlbmNlLWRhdGEtY2VudGVyLWFuZC1zZXJ2ZXItMTI5NTY4MjI3Ni5odG1sKQogLSBbQ29uZmx1ZW5jZSBDVkUtMjAyMy0yMjUxOF0oaHR0cHM6Ly9jb25mbHVlbmNlLmF0bGFzc2lhbi5jb20vcGFnZXMvdmlld3BhZ2UuYWN0aW9uP3BhZ2VJZD0xMzExNDczOTA3KQoKCgoKCg==", - "content": "c2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9odHRwLWN2ZS0yMDIxLTQxNzczCiAgLSBjcm93ZHNlY3VyaXR5L2h0dHAtY3ZlLTIwMjEtNDIwMTMKICAtIGNyb3dkc2VjdXJpdHkvZ3JhZmFuYS1jdmUtMjAyMS00Mzc5OAogIC0gY3Jvd2RzZWN1cml0eS92bXdhcmUtdmNlbnRlci12bXNhLTIwMjEtMDAyNwogIC0gY3Jvd2RzZWN1cml0eS9mb3J0aW5ldC1jdmUtMjAxOC0xMzM3OQogIC0gY3Jvd2RzZWN1cml0eS9wdWxzZS1zZWN1cmUtc3NsdnBuLWN2ZS0yMDE5LTExNTEwCiAgLSBjcm93ZHNlY3VyaXR5L2Y1LWJpZy1pcC1jdmUtMjAyMC01OTAyCiAgLSBjcm93ZHNlY3VyaXR5L3RoaW5rcGhwLWN2ZS0yMDE4LTIwMDYyCiAgLSBjcm93ZHNlY3VyaXR5L2FwYWNoZV9sb2c0ajJfY3ZlLTIwMjEtNDQyMjgKICAtIGNyb3dkc2VjdXJpdHkvamlyYV9jdmUtMjAyMS0yNjA4NgogIC0gY3Jvd2RzZWN1cml0eS9zcHJpbmc0c2hlbGxfY3ZlLTIwMjItMjI5NjUKICAtIGNyb3dkc2VjdXJpdHkvdm13YXJlLWN2ZS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTM3MDQyCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQxMDgyCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTM1OTE0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQwNjg0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTI2MTM0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQyODg5CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQxNjk3CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQ2MTY5CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQ0ODc3CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDE5LTE4OTM1CiAgLSBjcm93ZHNlY3VyaXR5L25ldGdlYXJfcmNlCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTIyNTE1CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTIyNTE4CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpkZXNjcmlwdGlvbjogIkRldGVjdCBDVkUgZXhwbG9pdGF0aW9uIGluIGh0dHAgbG9ncyIKdGFnczoKICAtIHdlYgogIC0gZXhwbG9pdAogIC0gY3ZlCiAgLSBodHRwCg==", + "long_description": "CgpBIGNvbGxlY3Rpb24gdG8gZGV0ZWN0IGV4cGxvaXRhdGlvbiBvZiBzb21lIHNwZWNpZmljIGh0dHAgQ1ZFcy4KCldvcmtzIHdpdGggW2FwYWNoZTJdKGh0dHBzOi8vaHViLmNyb3dkc2VjLm5ldC9hdXRob3IvY3Jvd2RzZWN1cml0eS9jb2xsZWN0aW9ucy9hcGFjaGUyKSwgW25naW54XShodHRwczovL2h1Yi5jcm93ZHNlYy5uZXQvYXV0aG9yL2Nyb3dkc2VjdXJpdHkvY29sbGVjdGlvbnMvbmdpbngpLCBbdHJhZWZpa10oaHR0cHM6Ly9odWIuY3Jvd2RzZWMubmV0L2F1dGhvci9jcm93ZHNlY3VyaXR5L2NvbGxlY3Rpb25zL3RyYWVmaWspIGV0Yy4KCjp3YXJuaW5nOiBXaGlsZSB0aGlzIGNvbGxlY3Rpb24gaXMgZnJlcXVlbnRseSB1cGRhdGVkIHdpdGggdHJlbmRpbmcgQ1ZFcywgaXQgaXMgX25vdF8gYSBXQUYgYW5kIGRvZXMgX25vdF8gYWltcyBhdCByZXBsYWNpbmcgYSBXQUYuIEFzIHN1Y2gsIGFuIGF0dGFja2VyIG1pZ2h0IGJlIGFibGUgdG8gYnlwYXNzIHRob3NlIHNpZ25hdHVyZXMuCgogLSBbQXBhY2hlIENWRS0yMDIxLTQxNzczXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjEtNDE3NzMpCiAtIFtBcGFjaGUgQ1ZFLTIwMjEtNDIwMTNdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS00MjAxMykKIC0gW0dyYWZhbmEgQ1ZFLTIwMjEtNDM3OThdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS00Mzc5OCkKIC0gW0ZvcnRpbmV0IENWRS0yMDE4LTEzMzc5XShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTgtMTMzNzkpCiAtIFtQdWxzZSBTZWN1cmUgQ1ZFLTIwMTktMTE1MTBdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAxOS0xMTUxMCkKIC0gW0Y1IEJJRy1JUCBDVkUtMjAyMC01OTAyXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjAtNTkwMikKIC0gW1RoaW5rUEhQIENWRS0yMDE4LTIwMDYyXShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMTgtMjAwNjIpCiAtIFtBcGFjaGUgTG9nNGoyIENWRS0yMDIxLTQ0MjI4XShodHRwczovL2N2ZS5jaXJjbC5sdS9jdmUvQ1ZFLTIwMjEtNDQyMjgpCiAtIFtWTXdhcmUgVk1TQS0yMDIxLTAwMjddKGh0dHBzOi8vd3d3LnZtd2FyZS5jb20vc2VjdXJpdHkvYWR2aXNvcmllcy9WTVNBLTIwMjEtMDAyNy5odG1sKQogLSBbQXRsYXNzaWFuIEppcmEgQ1ZFLTIwMjEtMjYwODZdKGh0dHBzOi8vY3ZlLmNpcmNsLmx1L2N2ZS9DVkUtMjAyMS0yNjA4NikKIC0gW1NwcmluZzRTaGVsbCBDVkUtMjAyMi0yMjk2NV0oaHR0cHM6Ly9jdmUubWl0cmUub3JnL2NnaS1iaW4vY3ZlbmFtZS5jZ2k/bmFtZT1DVkUtMjAyMi0yMjk2NSkKIC0gW1ZNd2FyZSBDVkUtMjAyMi0yMjk1NF0oaHR0cHM6Ly93d3cudm13YXJlLmNvbS9zZWN1cml0eS9hZHZpc29yaWVzL1ZNU0EtMjAyMi0wMDExLmh0bWwpCiAtIFtaaW1icmEgQ1ZFLTIwMjItMzcwNDJdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM3MDQyKQogLSBbTWljcm9zb2Z0IEV4Y2hhbmdlIENWRS0yMDIyLTQxMDgyXShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00MTA4MikKIC0gW0dMUEkgQ1ZFLTIwMjItMzU5MTRdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIyLTM1OTE0KQogLSBbRm9ydGluZXQgQ1ZFLTIwMjItNDA2ODRdKGh0dHBzOi8vd3d3Lmhvcml6b24zLmFpL2ZvcnRpb3MtZm9ydGlwcm94eS1hbmQtZm9ydGlzd2l0Y2htYW5hZ2VyLWF1dGhlbnRpY2F0aW9uLWJ5cGFzcy10ZWNobmljYWwtZGVlcC1kaXZlLWN2ZS0yMDIyLTQwNjg0LykKIC0gW0NvbmZsdWVuY2UgQ1ZFLTIwMjItMjYxMzRdKGh0dHBzOi8vY3ZlLm1pdHJlLm9yZy9jZ2ktYmluL2N2ZW5hbWUuY2dpP25hbWU9Q1ZFLTIwMjItMjYxMzQpCiAtIFtUZXh0NFNoZWxsIENWRS0yMDIyLTQyODg5XShodHRwczovL2N2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPUNWRS0yMDIyLTQyODg5KQogLSBbR2hvc3QgQ01TIENWRS0yMDIyLTQxNjk3XShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00MTY5NykKIC0gW0NhY3RpIENWRS0yMDIyLTQ2MTY5XShodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMi00NjE2OSkKIC0gW0NlbnRvcyBXZWIgUGFuZWwgNyBDVkUtMjAyMi00NDg3N10oaHR0cHM6Ly9udmQubmlzdC5nb3YvdnVsbi9kZXRhaWwvQ1ZFLTIwMjItNDQ4NzcpCiAtIFtUZWxlcmlrIFVJIENWRS0yMDE5LTE4OTM1XShodHRwczovL2N2ZS5taXRyZS5vcmcvY2dpLWJpbi9jdmVuYW1lLmNnaT9uYW1lPUNWRS0yMDE5LTE4OTM1KQogLSBbTmV0Z2VhciBER04xMDAwIC8gREdOMjIwMCBSZW1vdGUgQ29tbWFuZCBFeGVjdXRpb25dKGh0dHBzOi8vd3d3LmV4cGxvaXQtZGIuY29tL2V4cGxvaXRzLzI1OTc4KQogLSBbQ29uZmx1ZW5jZSBDVkUtMjAyMy0yMjUxNV0oaHR0cHM6Ly9jb25mbHVlbmNlLmF0bGFzc2lhbi5jb20vc2VjdXJpdHkvY3ZlLTIwMjMtMjI1MTUtcHJpdmlsZWdlLWVzY2FsYXRpb24tdnVsbmVyYWJpbGl0eS1pbi1jb25mbHVlbmNlLWRhdGEtY2VudGVyLWFuZC1zZXJ2ZXItMTI5NTY4MjI3Ni5odG1sKQogLSBbQ29uZmx1ZW5jZSBDVkUtMjAyMy0yMjUxOF0oaHR0cHM6Ly9jb25mbHVlbmNlLmF0bGFzc2lhbi5jb20vcGFnZXMvdmlld3BhZ2UuYWN0aW9uP3BhZ2VJZD0xMzExNDczOTA3KQogLSBbT3duY2xvdWQgQ1ZFLTIwMjMtNDkxMDNdKGh0dHBzOi8vbnZkLm5pc3QuZ292L3Z1bG4vZGV0YWlsL0NWRS0yMDIzLTQ5MTAzKQoKCgoKCg==", + "content": "c2NlbmFyaW9zOgogIC0gY3Jvd2RzZWN1cml0eS9odHRwLWN2ZS0yMDIxLTQxNzczCiAgLSBjcm93ZHNlY3VyaXR5L2h0dHAtY3ZlLTIwMjEtNDIwMTMKICAtIGNyb3dkc2VjdXJpdHkvZ3JhZmFuYS1jdmUtMjAyMS00Mzc5OAogIC0gY3Jvd2RzZWN1cml0eS92bXdhcmUtdmNlbnRlci12bXNhLTIwMjEtMDAyNwogIC0gY3Jvd2RzZWN1cml0eS9mb3J0aW5ldC1jdmUtMjAxOC0xMzM3OQogIC0gY3Jvd2RzZWN1cml0eS9wdWxzZS1zZWN1cmUtc3NsdnBuLWN2ZS0yMDE5LTExNTEwCiAgLSBjcm93ZHNlY3VyaXR5L2Y1LWJpZy1pcC1jdmUtMjAyMC01OTAyCiAgLSBjcm93ZHNlY3VyaXR5L3RoaW5rcGhwLWN2ZS0yMDE4LTIwMDYyCiAgLSBjcm93ZHNlY3VyaXR5L2FwYWNoZV9sb2c0ajJfY3ZlLTIwMjEtNDQyMjgKICAtIGNyb3dkc2VjdXJpdHkvamlyYV9jdmUtMjAyMS0yNjA4NgogIC0gY3Jvd2RzZWN1cml0eS9zcHJpbmc0c2hlbGxfY3ZlLTIwMjItMjI5NjUKICAtIGNyb3dkc2VjdXJpdHkvdm13YXJlLWN2ZS0yMDIyLTIyOTU0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTM3MDQyCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQxMDgyCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTM1OTE0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQwNjg0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTI2MTM0CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQyODg5CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQxNjk3CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQ2MTY5CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIyLTQ0ODc3CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDE5LTE4OTM1CiAgLSBjcm93ZHNlY3VyaXR5L25ldGdlYXJfcmNlCiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTIyNTE1CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTIyNTE4CiAgLSBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTQ5MTAzCmF1dGhvcjogY3Jvd2RzZWN1cml0eQpkZXNjcmlwdGlvbjogIkRldGVjdCBDVkUgZXhwbG9pdGF0aW9uIGluIGh0dHAgbG9ncyIKdGFnczoKICAtIHdlYgogIC0gZXhwbG9pdAogIC0gY3ZlCiAgLSBodHRwCg==", "description": "Detect CVE exploitation in http logs", "author": "crowdsecurity", "labels": null, @@ -1138,7 +1142,8 @@ "crowdsecurity/CVE-2019-18935", "crowdsecurity/netgear_rce", "crowdsecurity/CVE-2023-22515", - "crowdsecurity/CVE-2023-22518" + "crowdsecurity/CVE-2023-22518", + "crowdsecurity/CVE-2023-49103" ] }, "crowdsecurity/http-dos": { @@ -6775,6 +6780,38 @@ "spoofable": 0 } }, + "crowdsecurity/CVE-2023-49103": { + "path": "scenarios/crowdsecurity/CVE-2023-49103.yaml", + "version": "0.2", + "versions": { + "0.1": { + "digest": "0bc71f216c4ac89ba9b7637a411a16344b4072483f43d0f6b95b7ace6b1e473c", + "deprecated": false + }, + "0.2": { + "digest": "4b4f399a2cfa628dbcbee420717807e060a74ff5839d742351c8cad1b42fa15d", + "deprecated": false + } + }, + "long_description": "RGV0ZWN0IGV4cGxvaXRhdGlvbiBvZiBvd25jbG91ZCBDVkUtMjAyMy00OTEwMwoKUmVmOiBodHRwczovL252ZC5uaXN0Lmdvdi92dWxuL2RldGFpbC9DVkUtMjAyMy00OTEwMwo=", + "content": "dHlwZTogdHJpZ2dlcgpmb3JtYXQ6IDIuMApuYW1lOiBjcm93ZHNlY3VyaXR5L0NWRS0yMDIzLTQ5MTAzCmRlc2NyaXB0aW9uOiAiRGV0ZWN0IG93bmNsb3VkIENWRS0yMDIzLTQ5MTAzIGV4cGxvaXRhdGlvbiBhdHRlbXB0cyIKZmlsdGVyOiB8CiAgZXZ0Lk1ldGEubG9nX3R5cGUgaW4gWydodHRwX2FjY2Vzcy1sb2cnLCAnaHR0cF9lcnJvci1sb2cnXSAmJiBMb3dlcihldnQuTWV0YS5odHRwX3BhdGgpIGNvbnRhaW5zICcvb3duY2xvdWQvYXBwcy9ncmFwaGFwaS92ZW5kb3IvbWljcm9zb2Z0L21pY3Jvc29mdC1ncmFwaC90ZXN0cy9nZXRwaHBpbmZvLnBocCcKZ3JvdXBieTogImV2dC5NZXRhLnNvdXJjZV9pcCIKYmxhY2tob2xlOiAybQpsYWJlbHM6CiAgdHlwZTogZXhwbG9pdAogIHJlbWVkaWF0aW9uOiB0cnVlCiAgY2xhc3NpZmljYXRpb246CiAgICAtIGF0dGFjay5UMTU5NQogICAgLSBhdHRhY2suVDExOTAKICAgIC0gY3ZlLkNWRS0yMDIzLTQ5MTAzCiAgc3Bvb2ZhYmxlOiAxCiAgY29uZmlkZW5jZTogMgogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAib3duY2xvdWQgQ1ZFLTIwMjMtNDkxMDMiCiAgc2VydmljZTogb3duY2xvdWQK", + "description": "Detect owncloud CVE-2023-49103 exploitation attempts", + "author": "crowdsecurity", + "labels": { + "behavior": "http:exploit", + "classification": [ + "attack.T1595", + "attack.T1190", + "cve.CVE-2023-49103" + ], + "confidence": 2, + "label": "owncloud CVE-2023-49103", + "remediation": true, + "service": "owncloud", + "spoofable": 1, + "type": "exploit" + } + }, "crowdsecurity/CVE-2023-4911": { "path": "scenarios/crowdsecurity/CVE-2023-4911.yaml", "version": "0.5", diff --git a/.tests/cve-2023-49103/config.yaml b/.tests/cve-2023-49103/config.yaml new file mode 100644 index 00000000000..6f89d4f5134 --- /dev/null +++ b/.tests/cve-2023-49103/config.yaml @@ -0,0 +1,13 @@ +parsers: +- crowdsecurity/syslog-logs +- crowdsecurity/dateparse-enrich +- crowdsecurity/nginx-logs +scenarios: +- ./scenarios/crowdsecurity/CVE-2023-49103.yaml +postoverflows: +- "" +log_file: cve-2023-49103.log +log_type: nginx +labels: {} +ignore_parsers: true +override_statics: [] diff --git a/.tests/cve-2023-49103/cve-2023-49103.log b/.tests/cve-2023-49103/cve-2023-49103.log new file mode 100644 index 00000000000..b3eb6418901 --- /dev/null +++ b/.tests/cve-2023-49103/cve-2023-49103.log @@ -0,0 +1,2 @@ +1.2.3.4 - - [28/Nov/2023:09:41:29 +0100] "GET /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php HTTP/1.1" 404 153 "-" "curl/7.68.0" +4.5.6.7 - - [28/Nov/2023:09:45:00 +0100] "GET /owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php HTTP/1.1" 200 153 "-" "curl/7.68.0" diff --git a/.tests/cve-2023-49103/parser.assert b/.tests/cve-2023-49103/parser.assert new file mode 100644 index 00000000000..e69de29bb2d diff --git a/.tests/cve-2023-49103/scenario.assert b/.tests/cve-2023-49103/scenario.assert new file mode 100644 index 00000000000..ad7abd99c3d --- /dev/null +++ b/.tests/cve-2023-49103/scenario.assert @@ -0,0 +1,37 @@ +len(results) == 2 +"4.5.6.7" in results[0].Overflow.GetSources() +results[0].Overflow.Sources["4.5.6.7"].IP == "4.5.6.7" +results[0].Overflow.Sources["4.5.6.7"].Range == "" +results[0].Overflow.Sources["4.5.6.7"].GetScope() == "Ip" +results[0].Overflow.Sources["4.5.6.7"].GetValue() == "4.5.6.7" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_path") == "cve-2023-49103.log" +results[0].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[0].Overflow.Alert.Events[0].GetMeta("http_path") == "/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" +results[0].Overflow.Alert.Events[0].GetMeta("http_status") == "200" +results[0].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "curl/7.68.0" +results[0].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET" +results[0].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log" +results[0].Overflow.Alert.Events[0].GetMeta("service") == "http" +results[0].Overflow.Alert.Events[0].GetMeta("source_ip") == "4.5.6.7" +results[0].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-11-28T09:45:00+01:00" +results[0].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2023-49103" +results[0].Overflow.Alert.Remediation == true +results[0].Overflow.Alert.GetEventsCount() == 1 +"1.2.3.4" in results[1].Overflow.GetSources() +results[1].Overflow.Sources["1.2.3.4"].IP == "1.2.3.4" +results[1].Overflow.Sources["1.2.3.4"].Range == "" +results[1].Overflow.Sources["1.2.3.4"].GetScope() == "Ip" +results[1].Overflow.Sources["1.2.3.4"].GetValue() == "1.2.3.4" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_path") == "cve-2023-49103.log" +results[1].Overflow.Alert.Events[0].GetMeta("datasource_type") == "file" +results[1].Overflow.Alert.Events[0].GetMeta("http_path") == "/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php" +results[1].Overflow.Alert.Events[0].GetMeta("http_status") == "404" +results[1].Overflow.Alert.Events[0].GetMeta("http_user_agent") == "curl/7.68.0" +results[1].Overflow.Alert.Events[0].GetMeta("http_verb") == "GET" +results[1].Overflow.Alert.Events[0].GetMeta("log_type") == "http_access-log" +results[1].Overflow.Alert.Events[0].GetMeta("service") == "http" +results[1].Overflow.Alert.Events[0].GetMeta("source_ip") == "1.2.3.4" +results[1].Overflow.Alert.Events[0].GetMeta("timestamp") == "2023-11-28T09:41:29+01:00" +results[1].Overflow.Alert.GetScenario() == "crowdsecurity/CVE-2023-49103" +results[1].Overflow.Alert.Remediation == true +results[1].Overflow.Alert.GetEventsCount() == 1 diff --git a/collections/crowdsecurity/http-cve.md b/collections/crowdsecurity/http-cve.md index 5a0394902d7..c27105a3c4b 100644 --- a/collections/crowdsecurity/http-cve.md +++ b/collections/crowdsecurity/http-cve.md @@ -31,6 +31,7 @@ Works with [apache2](https://hub.crowdsec.net/author/crowdsecurity/collections/a - [Netgear DGN1000 / DGN2200 Remote Command Execution](https://www.exploit-db.com/exploits/25978) - [Confluence CVE-2023-22515](https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html) - [Confluence CVE-2023-22518](https://confluence.atlassian.com/pages/viewpage.action?pageId=1311473907) + - [Owncloud CVE-2023-49103](https://nvd.nist.gov/vuln/detail/CVE-2023-49103) diff --git a/collections/crowdsecurity/http-cve.yaml b/collections/crowdsecurity/http-cve.yaml index 754081b29f8..d8159f91eb1 100644 --- a/collections/crowdsecurity/http-cve.yaml +++ b/collections/crowdsecurity/http-cve.yaml @@ -24,6 +24,7 @@ scenarios: - crowdsecurity/netgear_rce - crowdsecurity/CVE-2023-22515 - crowdsecurity/CVE-2023-22518 + - crowdsecurity/CVE-2023-49103 author: crowdsecurity description: "Detect CVE exploitation in http logs" tags: diff --git a/scenarios/crowdsecurity/CVE-2023-49103.md b/scenarios/crowdsecurity/CVE-2023-49103.md new file mode 100644 index 00000000000..50c96c6d5ab --- /dev/null +++ b/scenarios/crowdsecurity/CVE-2023-49103.md @@ -0,0 +1,3 @@ +Detect exploitation of owncloud CVE-2023-49103 + +Ref: https://nvd.nist.gov/vuln/detail/CVE-2023-49103 diff --git a/scenarios/crowdsecurity/CVE-2023-49103.yaml b/scenarios/crowdsecurity/CVE-2023-49103.yaml new file mode 100644 index 00000000000..87983c58339 --- /dev/null +++ b/scenarios/crowdsecurity/CVE-2023-49103.yaml @@ -0,0 +1,20 @@ +type: trigger +format: 2.0 +name: crowdsecurity/CVE-2023-49103 +description: "Detect owncloud CVE-2023-49103 exploitation attempts" +filter: | + evt.Meta.log_type in ['http_access-log', 'http_error-log'] && Lower(evt.Meta.http_path) contains '/owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/getphpinfo.php' +groupby: "evt.Meta.source_ip" +blackhole: 2m +labels: + type: exploit + remediation: true + classification: + - attack.T1595 + - attack.T1190 + - cve.CVE-2023-49103 + spoofable: 1 + confidence: 2 + behavior: "http:exploit" + label: "owncloud CVE-2023-49103" + service: owncloud diff --git a/taxonomy/scenarios.json b/taxonomy/scenarios.json index 86b3f854139..7c9c8963edc 100644 --- a/taxonomy/scenarios.json +++ b/taxonomy/scenarios.json @@ -874,6 +874,25 @@ "CVE-2023-23397" ] }, + "crowdsecurity/CVE-2023-49103": { + "name": "crowdsecurity/CVE-2023-49103", + "description": "Detect owncloud CVE-2023-49103 exploitation attempts", + "label": "owncloud CVE-2023-49103", + "behaviors": [ + "http:exploit" + ], + "mitre_attacks": [ + "TA0043:T1595", + "TA0001:T1190" + ], + "confidence": 2, + "spoofable": 1, + "cti": true, + "service": "owncloud", + "cves": [ + "CVE-2023-49103" + ] + }, "crowdsecurity/CVE-2023-4911": { "name": "crowdsecurity/CVE-2023-4911", "description": "exploitation of CVE-2023-4911: segfaulting in dynamic loader",