Skip to content

Add vpatch-CVE-2024-21650 rule and test #1484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Add vpatch-CVE-2024-21650 rule and test #1484

wants to merge 6 commits into from

Conversation

crowdsec-automation
Copy link
Contributor

This rule targets the XWiki user registration endpoint vulnerable to RCE via the "first name" or "last name" fields. The detection logic is as follows:

  • The first rule block matches requests to the registration endpoint (/bin/register/xwiki/xwikiregister), using both lowercase and urldecode transforms to ensure case-insensitive and encoded/decoded matching.
  • The second rule block inspects the POST body arguments, specifically the register_first_name and register_last_name fields, for the presence of the string {{groovy}} (case-insensitive, URL-decoded). This string is a strong indicator of an attempt to inject Groovy code, which is the vector for RCE in this vulnerability.
  • The rule avoids matching on the full payload or specific code, instead focusing on the Groovy macro marker, which is the minimal and most reliable indicator of exploitation attempts, reducing false positives.
  • The test nuclei template is adapted to send a POST request with a malicious register_first_name containing the Groovy macro, and expects a 403 response to confirm the rule blocks the attack.

Validation checklist:

  • All value: fields are lowercase.
  • All relevant transforms include lowercase and urldecode.
  • No match.value contains capital letters.
  • The rule uses contains for matching, not regex, as per guidelines.

@github-actions GitHub Actions
Copy link

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2024-21650 🔴

@github-actions GitHub Actions
Copy link

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

@github-actions GitHub Actions
Copy link

Hello @blotus and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴
🔴 crowdsecurity/vpatch-CVE-2023-2009 🔴
🔴 crowdsecurity/vpatch-CVE-2023-0900 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6623 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23489 🔴
🔴 crowdsecurity/vpatch-CVE-2023-4634 🔴
🔴 crowdsecurity/vpatch-CVE-2023-23488 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1071 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6567 🔴
🔴 crowdsecurity/vpatch-CVE-2023-6360 🔴
🔴 crowdsecurity/vpatch-CVE-2024-1061 🔴

@github-actions GitHub Actions
Copy link

Hello @blotus,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@blotus blotus

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@crowdsec-automation @blotus @actions-user