DATABASE RESOURCES PRICING ABOUT US

{"id": "AKB:159E47EB-87DB-40C2-A1FB-A6041C0AD829", "vendorId": null, "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-27850", "description": "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "published": "2021-04-15T00:00:00", "modified": "2021-04-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://attackerkb.com/topics/32H1tJnyGT/cve-2021-27850", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27850", "http://www.openwall.com/lists/oss-security/2021/04/15/1", "https://security.netapp.com/advisory/ntap-20210528-0002/", "https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E"], "cvelist": ["CVE-2019-0195", "CVE-2021-27850"], "immutableFields": [], "lastseen": "2022-03-12T02:35:25", "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-0195", "CVE-2021-27850"]}, {"type": "github", "idList": ["GHSA-MJ8X-CPR8-X39H"]}, {"type": "githubexploit", "idList": ["0DF44D6F-70D3-592E-8DEC-274BDE4E60CD", "7146E718-16A9-5B5B-8529-DEF250B4C95C", "EC959D0D-7F63-5C96-AFEA-639D29E9BC9E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5D64EF678F668492563D94414E31C3D2"]}], "rev": 4}, "score": {"value": 5.9, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2019-0195"]}, {"type": "github", "idList": ["GHSA-MJ8X-CPR8-X39H"]}, {"type": "githubexploit", "idList": ["0DF44D6F-70D3-592E-8DEC-274BDE4E60CD", "7146E718-16A9-5B5B-8529-DEF250B4C95C", "EC959D0D-7F63-5C96-AFEA-639D29E9BC9E"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:5D64EF678F668492563D94414E31C3D2"]}]}, "exploitation": null, "vulnersScore": 5.9}, "_state": {"wildexploited": 1647356734, "dependencies": 1647141775}, "_internal": {"wildexploited_cvelist": ["CVE-2019-0195", "CVE-2021-27850"]}, "attackerkb": {"attackerValue": 0, "exploitability": 0}, "wildExploited": true, "wildExploitedCategory": {"Personally observed in an environment": ""}, "wildExploitedReports": [{"category": "Personally observed in an environment", "source_url": "", "published": "2021-06-03T11:54:00"}], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27850"], "Advisory": ["http://www.openwall.com/lists/oss-security/2021/04/15/1", "https://security.netapp.com/advisory/ntap-20210528-0002/"], "Miscellaneous": ["https://lists.apache.org/thread.html/r237ff7f286bda31682c254550c1ebf92b0ec61329b32fbeb2d1c8751%40%3Cusers.tapestry.apache.org%3E"]}, "tags": [], "mitre_vector": {}, "last_activity": "2021-06-03T11:54:00"}

{"github": [{"lastseen": "2022-04-15T14:32:30", "description": "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.2, upgrade to 5.6.3 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T17:33:19", "type": "github", "title": "Remote code execution in Apache Tapestry", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0195", "CVE-2021-27850"], "modified": "2021-06-16T17:33:19", "id": "GHSA-MJ8X-CPR8-X39H", "href": "https://github.com/advisories/GHSA-mj8x-cpr8-x39h", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2022-06-10T05:00:49", "description": "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.2, upgrade to 5.6.3 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T17:33:19", "type": "osv", "title": "Remote code execution in Apache Tapestry", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0195", "CVE-2021-27850"], "modified": "2022-06-10T02:15:02", "id": "OSV:GHSA-MJ8X-CPR8-X39H", "href": "https://osv.dev/vulnerability/GHSA-mj8x-cpr8-x39h", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T16:15:50", "description": "A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. The vulnerability I have found is a bypass of the fix for CVE-2019-0195. Recap: Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`. Bypass: Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/` The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). Solution for this vulnerability: * For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later. * For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-15T08:15:00", "type": "cve", "title": "CVE-2021-27850", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0195", "CVE-2021-27850"], "modified": "2021-06-02T15:15:00", "cpe": [], "id": "CVE-2021-27850", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27850", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2022-03-23T18:46:57", "description": "Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-09-16T16:15:00", "type": "cve", "title": "CVE-2019-0195", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0195"], "modified": "2021-04-19T20:06:00", "cpe": ["cpe:/a:apache:tapestry:5.4.3"], "id": "CVE-2019-0195", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-0195", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:tapestry:5.4.3:*:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2021-12-24T12:36:23", "description": "## \u547d\u4ee4\u4f7f\u7528\n```bash\ngit clone https://github.com/Ovi3/CVE_2021_27850...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-02T10:21:58", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Tapestry", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27850"], "modified": "2021-12-24T09:21:18", "id": "0DF44D6F-70D3-592E-8DEC-274BDE4E60CD", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:22:48", "description": "# CVE-2021-27850 Exploit #\n\n## Overview ##\n\nCVE-2021-27850 is a ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-26T14:16:00", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Tapestry", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27850"], "modified": "2021-09-13T11:56:12", "id": "EC959D0D-7F63-5C96-AFEA-639D29E9BC9E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-06-23T14:15:38", "description": "# CVE-2021-27850 Exploit #\n\n## Overview ##\n\nCVE-2021-27850 is a ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-25T13:55:41", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Apache Tapestry", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27850"], "modified": "2022-06-23T09:27:38", "id": "7146E718-16A9-5B5B-8529-DEF250B4C95C", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "rapid7blog": [{"lastseen": "2021-07-28T14:56:11", "description": "\n\n## Now I Control Your Resource Planning Servers\n\nSage X3 is a resource planning product designed by Sage Group which is designed to help established businesses plan out their business operations. But what if you wanted to do more than just manage resources? What if you wanted to hijack the resource server itself? Well wait no more, as thanks to the work of [Aaron Herndon](<https://www.linkedin.com/in/aaron-herndon-54079b5a/>), [Jonathan Peterson](<https://www.linkedin.com/in/jonathan-p-004b76a1/>), [William Vu](<https://twitter.com/wvuuuuuuuuuuuuu>), [Cale Black](<https://github.com/cblack-r7>), and [Ryan Villarreal](<https://www.linkedin.com/in/ryanvillarreal/>) along with work from community contributor [deadjakk](<https://github.com/deadjakk>), Metasploit now has an exploit module for [CVE-2020-7388](<https://attackerkb.com/topics/q0ETmshZPW/cve-2020-7388?referrer=blog>) and [CVE-2020-7387](<https://attackerkb.com/topics/l1RZYyWf4X/cve-2020-7387?referrer=blog>), to allow unauthenticated attackers to gain `SYSTEM` level code execution on affected versions of Sage X3. This module should prove very useful on engagements both as a way to gain an initial foothold in a target network, as well as a way to elevate privileges to allow for more effective pivoting throughout the target network. More information on these vulnerabilities can be found in our detailed writeup post [on our blog](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/?referrer=blog>).\n\n## Help My Server is Raining Keys\n\nAnother great module that landed this week was an exploit for [CVE-2021-27850](<https://attackerkb.com/topics/32H1tJnyGT/cve-2021-27850?referrer=blog>) from [Johannes Mortiz](<https://www.radicallyopensecurity.com/our-team/pentester/JohannesMoritz.html>) and Yann Castel aka [Hakyac](<https://github.com/Hakyac>), which allows attackers to steal the HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. This HMAC key is particularly important in many applications as it is often used to sign important data within the application. However in the case of Apache Tapestry, one can actually take this even further and use the leaked HMAC key to exploit a separate Java deserialization vulnerability in Apache Tapestry to gain RCE using readily available gadgets such as CommonBeansUtil1 from ysoserial. Therefore this should be one to keep an eye out for and patch if you haven't already.\n\n## PrintNightmare Improvements\n\nImprovements have been made to the PrintNightmare module thanks to [Spencer McIntyre](<https://twitter.com/zerosteiner>) to improve the way that Metasploit checks if a target is vulnerable or not, as well as to incorporate the `\\??\\UNC\\` bypass for the second and most recent patch at the time of writing. Additionally, a separate bug was fixed in Metasploit's DCERPC library to prevent crashes when handling fragmented responses from the target server that could not fit into a single packet. These fixes should help ensure that not only is Metasploit able to better detect servers that are vulnerable to PrintNightmare, but also help target those servers that may not have fully applied all the appropriate patches and mitigations.\n\n## New module content (4)\n\n * [Apache Tapestry HMAC secret key leak](<https://github.com/rapid7/metasploit-framework/pull/15211>) by Johannes Moritz and [Hakyac](<https://github.com/Hakyac>), which exploits [CVE-2021-27850](<https://attackerkb.com/topics/32H1tJnyGT/cve-2021-27850?referrer=blog>) \\- This adds an auxiliary module that retrieves the secret HMAC key from applications that use a vulnerable version of the Apache Tapestry web framework. Retrieving this key will allow an attacker to sign objects in order to exploit a separate Java deserialization vulnerability in Apache Tapestry.\n * [Sage X3 AdxAdmin Login Scanner](<https://github.com/rapid7/metasploit-framework/pull/15400>) by [Jonathan Peterson](<https://www.linkedin.com/in/jonathan-p-004b76a1/>) \\- Added a Sage X3 login scanner.\n * [Wordpress Plugin Backup Guard - Authenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/15402>) by Nguyen Van Khanh, [Ron Jost](<https://github.com/Hacker5preme>), and [Hakyac](<https://github.com/Hakyac>), which exploits [CVE-2021-24155](<https://attackerkb.com/topics/ufEsuA2DpJ/cve-2021-24155?referrer=blog>) \\- This adds a module that exploits an authenticated file upload vulnerability in the Wordpress plugin, Backup Guard. For versions below `v1.6.0`, the plugin permits the upload of arbitrary php code due to insufficient checks on the file format. Once the file is uploaded, code execution can be achieved by requesting the file, located under the `/wp-content/uploads/backup-guard` directory.\n * [Sage X3 Administration Service Authentication Bypass Command Execution](<https://github.com/rapid7/metasploit-framework/pull/15400>) by [Aaron Herndon](<https://www.linkedin.com/in/aaron-herndon-54079b5a/>) and [Jonathan Peterson](<https://www.linkedin.com/in/jonathan-p-004b76a1/>), which exploits [CVE-2020-7388](<https://attackerkb.com/topics/q0ETmshZPW/cve-2020-7388?referrer=blog>)\\- Added an exploit for [CVE-2020-7387 + CVE-2020-7388](<https://www.rapid7.com/blog/post/2021/07/07/cve-2020-7387-7390-multiple-sage-x3-vulnerabilities/>).\n\n## Enhancements and features\n\n * [#15403](<https://github.com/rapid7/metasploit-framework/pull/15403>) from [pingport80](<https://github.com/pingport80>) \\- This makes changes to the Powershell session type to report its platform using a value consistent with the other session types. It also adds Powershell session support to some methods within the file mixin.\n * [#15409](<https://github.com/rapid7/metasploit-framework/pull/15409>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- An update has been made to the PrintNightmare module to improve the way that it checks if a target is vulnerable or not and to now automatically converts UNC paths to use the `\\??\\UNC\\host\\path\\to\\dll` format to bypass the second and most recent patch at the time of writing. Additionally a bug was fixed in the DCERPC library where data that was read would be incomplete when the response would not fit into a single fragment to ensure that the PrintNightmare module can now read long responses from the target such as when enumerating the installed printer drivers.\n * [#15440](<https://github.com/rapid7/metasploit-framework/pull/15440>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- This PR updates the payloads gem to include updates to Kiwi. For more information, see rapid7/mimikatz#5 and rapid7/metasploit-payloads#490\n\n## Bugs fixed\n\n * [#14683](<https://github.com/rapid7/metasploit-framework/pull/14683>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) \\- This replaces a cryptic exception raised by msfvenom when an incompatible EXE template file is used with a specific injection technique. The new exception validates whether the EXE is compatible and reports the reason it is not so the user can more easily understand the problem.\n * [#15436](<https://github.com/rapid7/metasploit-framework/pull/15436>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- Ensure that generated variable names aren't Java keywords\n * [#15443](<https://github.com/rapid7/metasploit-framework/pull/15443>) from [dwelch-r7](<https://github.com/dwelch-r7>) \\- Adds python3 support for the wmiexec external module `auxiliary/scanner/smb/impacket/wmiexec`\n * [#15445](<https://github.com/rapid7/metasploit-framework/pull/15445>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- Updates msfconsole's output logs to only show the target's ip when an exploit module is run, rather than a host-hash\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.53...6.0.54](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-07-15T10%3A18%3A50%2B01%3A00..2021-07-22T11%3A58%3A03-05%3A00%22>)\n * [Full diff 6.0.53...6.0.54](<https://github.com/rapid7/metasploit-framework/compare/6.0.53...6.0.54>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-07-23T19:39:14", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7387", "CVE-2020-7388", "CVE-2021-24155", "CVE-2021-27850"], "modified": "2021-07-23T19:39:14", "id": "RAPID7BLOG:5D64EF678F668492563D94414E31C3D2", "href": "https://blog.rapid7.com/2021/07/23/metasploit-wrap-up-122/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}