Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
* Add CVE-2024-27956 / CVE-2024-27954
---------

Co-authored-by: GitHub Action <[email protected]>
Co-authored-by: Thibault Koechlin <[email protected]>
  • Loading branch information
3 people authored Nov 13, 2024
1 parent 98608ec commit 390a0b3
Show file tree
Hide file tree
Showing 9 changed files with 237 additions and 3 deletions.
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-27954/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-27954.yaml
nuclei_template: test-CVE-2024-27954.yaml
19 changes: 19 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-27954/test-CVE-2024-27954.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@

id: test-CVE-2024-27954
info:
name: test-CVE-2024-27954
author: crowdsec
severity: info
description: test-CVE-2024-27954 testing
tags: appsec-testing
http:
- raw:
- |
GET /?p=3232&wp_automatic=download&link=file:///etc/passwd HTTP/1.1
Host: {{Hostname}}
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-27956/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@

appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-27956.yaml
nuclei_template: test-CVE-2024-27956.yaml
20 changes: 20 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-27956/test-CVE-2024-27956.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
id: test-CVE-2024-27956
info:
name: test-CVE-2024-27956
author: crowdsec
severity: info
description: test-CVE-2024-27956 testing
tags: appsec-testing
http:
- raw:
- |
POST /wp-content/plugins/wp-automatic/inc/csv.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
q=INSERT+INTO+wp_users+%28user_login%2C+user_pass%2C+user_nicename%2C+user_email%2C+user_url%2C+user_registered%2C+user_status%2C+display_name%29+VALUES+%28%27eviladmin%27%2C+%27%24P%24BASbMqW0nlZRux%2F2IhCw7AdvoNI4VT0%27%2C+%27eviladmin%27%2C+%27eviladmin%40gmail.com%27%2C+%27http%3A%2F%2F127.0.0.1%3A8000%27%2C+%272024-04-30+16%3A26%3A43%27%2C+0%2C+%27eviladmin%27%29&auth=%00&integ=09956ea086b172d6cf8ac31de406c4c0
cookie-reuse: true
matchers:
- type: dsl
condition: and
dsl:
- "status_code_1 == 403"
70 changes: 67 additions & 3 deletions .index.json
Original file line number Diff line number Diff line change
Expand Up @@ -2136,6 +2136,60 @@
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-27954": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-27954.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "bf6471bd1c257cc27c60cb8474cdec8104571b5c0eb9a9a1880a3f15f6ae87b9",
"deprecated": false
}
},
"content": "bmFtZTogY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTQKZGVzY3JpcHRpb246ICJXUCBBdXRvbWF0aWMgLSBQYXRoIFRyYXZlcnNhbCAoQ1ZFLTIwMjQtMjc5NTQpIgpydWxlczoKICAtIGFuZDoKICAgIC0gem9uZXM6CiAgICAgIC0gTUVUSE9ECiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiBHRVQKICAgIC0gem9uZXM6CiAgICAgIC0gQVJHUwogICAgICB2YXJpYWJsZXM6CiAgICAgICAtIHdwX2F1dG9tYXRpYwogICAgICB0cmFuc2Zvcm06CiAgICAgIC0gbG93ZXJjYXNlCiAgICAgIG1hdGNoOgogICAgICAgIHR5cGU6IGVxdWFscwogICAgICAgIHZhbHVlOiAiZG93bmxvYWQiCiAgICAtIHpvbmVzOgogICAgICAtIEFSR1MKICAgICAgdmFyaWFibGVzOgogICAgICAgLSBsaW5rCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogc3RhcnRzV2l0aAogICAgICAgIHZhbHVlOiAiZmlsZTovLyIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiV1AgQXV0b21hdGljIC0gUGF0aCBUcmF2ZXJzYWwiCiAgY2xhc3NpZmljYXRpb246CiAgIC0gY3ZlLkNWRS0yMDI0LTI3OTU0CiAgIC0gYXR0YWNrLlQxNTk1CiAgIC0gYXR0YWNrLlQxMTkwCiAgIC0gY3dlLkNXRS0yMg==",
"description": "WP Automatic - Path Traversal (CVE-2024-27954)",
"author": "crowdsecurity",
"labels": {
"behavior": "http:exploit",
"classification": [
"cve.CVE-2024-27954",
"attack.T1595",
"attack.T1190",
"cwe.CWE-22"
],
"confidence": 3,
"label": "WP Automatic - Path Traversal",
"service": "http",
"spoofable": 0,
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-27956": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-27956.yaml",
"version": "0.1",
"versions": {
"0.1": {
"digest": "75f4bc972ce0fe46ffb311ee245a71bbeaf12963246dd98981b2d166f834191d",
"deprecated": false
}
},
"content": "Cm5hbWU6IGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3OTU2CmRlc2NyaXB0aW9uOiAiV29yZFByZXNzIEF1dG9tYXRpYyBQbHVnaW4gLSBTUUxpIChDVkUtMjAyNC0yNzk1NikiCnJ1bGVzOgogIC0gYW5kOgogICAgLSB6b25lczoKICAgICAgLSBNRVRIT0QKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZXF1YWxzCiAgICAgICAgdmFsdWU6IFBPU1QKICAgIC0gem9uZXM6CiAgICAgIC0gVVJJCiAgICAgIHRyYW5zZm9ybToKICAgICAgLSBsb3dlcmNhc2UKICAgICAgbWF0Y2g6CiAgICAgICAgdHlwZTogZW5kc1dpdGgKICAgICAgICB2YWx1ZTogL3dwLWNvbnRlbnQvcGx1Z2lucy93cC1hdXRvbWF0aWMvaW5jL2Nzdi5waHAKICAgIC0gem9uZXM6CiAgICAgIC0gQk9EWV9BUkdTCiAgICAgIHZhcmlhYmxlczoKICAgICAgIC0gYXV0aAogICAgICBtYXRjaDoKICAgICAgICB0eXBlOiBjb250YWlucwogICAgICAgIHZhbHVlOiAiXHgwMCIKbGFiZWxzOgogIHR5cGU6IGV4cGxvaXQKICBzZXJ2aWNlOiBodHRwCiAgY29uZmlkZW5jZTogMwogIHNwb29mYWJsZTogMAogIGJlaGF2aW9yOiAiaHR0cDpleHBsb2l0IgogIGxhYmVsOiAiV29yZFByZXNzIEF1dG9tYXRpYyBQbHVnaW4gLSBTUUxpIgogIGNsYXNzaWZpY2F0aW9uOgogICAtIGN2ZS5DVkUtMjAyNC0yNzk1NgogICAtIGF0dGFjay5UMTU5NQogICAtIGF0dGFjay5UMTE5MAogICAtIGN3ZS5DV0UtNTAy",
"description": "WordPress Automatic Plugin - SQLi (CVE-2024-27956)",
"author": "crowdsecurity",
"labels": {
"behavior": "http:exploit",
"classification": [
"cve.CVE-2024-27956",
"attack.T1595",
"attack.T1190",
"cwe.CWE-502"
],
"confidence": 3,
"label": "WordPress Automatic Plugin - SQLi",
"service": "http",
"spoofable": 0,
"type": "exploit"
}
},
"crowdsecurity/vpatch-CVE-2024-28255": {
"path": "appsec-rules/crowdsecurity/vpatch-CVE-2024-28255.yaml",
"version": "0.1",
Expand Down Expand Up @@ -3376,7 +3430,7 @@
},
"crowdsecurity/appsec-virtual-patching": {
"path": "collections/crowdsecurity/appsec-virtual-patching.yaml",
"version": "4.2",
"version": "4.4",
"versions": {
"0.1": {
"digest": "a165d638c8d826a932e4ca4e70ec5379d558a0bee1356e871c7c92cc2df714fc",
Expand Down Expand Up @@ -3545,10 +3599,18 @@
"4.2": {
"digest": "db45e9ff4b84538b8402dd1fc57ee137ad14562f15fbd7719f4f5813e824b71a",
"deprecated": false
},
"4.3": {
"digest": "f526f84b222b2e83c148c4c028c69ae124b04d790877084395a1750b38ecaae9",
"deprecated": false
},
"4.4": {
"digest": "ba304a73baf21c9d547dbf7dbb7507173b3ad5ec139cbb762cb13fc78819278f",
"deprecated": false
}
},
"long_description": "IyBBcHBTZWMgVmlydHVhbCBQYXRjaGluZwoKVGhpcyBjb2xsZWN0aW9uIGNvbnRhaW5zIHZpcnR1YWwgcGF0Y2hpbmcgZm9yIGNvbW1vbmx5IGV4cGxvaXRlZCB2dWxuZXJhYmlsaXRpZXMsIGFuZCBpcyBpbnNwaXJlZCBieSB0aGUgW0NJU0EgS25vd24gRXhwbG9pdGVkIFZ1bG5lcmFiaWxpdGllcyBDYXRhbG9nXShodHRwczovL3d3dy5jaXNhLmdvdi9rbm93bi1leHBsb2l0ZWQtdnVsbmVyYWJpbGl0aWVzLWNhdGFsb2cpLiBUaGUgZ29hbCBpcyB0byBwcm92aWRlIHZpcnR1YWwgcGF0Y2hpbmcgY2FwYWJpbGl0aWVzIGZvciB0aGUgbW9zdCBvZnRlbiBleHBsb2l0ZWQgdnVsbmVyYWJpbGl0aWVzLCBhdm9pZGluZyBmYWxzZSBwb3NpdGl2ZXMgd2hpbGUgY2F0Y2hpbmcgcGVvcGxlIHNjb3V0aW5nIHlvdXIgYXBwbGljYXRpb25zIGZvciBqdWljeSB2dWxuZXJhYmlsaXRpZXMuCg==",
"content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3CmF1dGhvcjogY3Jvd2RzZWN1cml0eQpjb250ZXh0czoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlY19iYXNlCmRlc2NyaXB0aW9uOiBhIGdlbmVyaWMgdmlydHVhbCBwYXRjaGluZyBjb2xsZWN0aW9uLCBzdWl0YWJsZSBmb3IgbW9zdCB3ZWIgc2VydmVycy4KbmFtZTogY3Jvd2RzZWN1cml0eS9hcHBzZWMtdmlydHVhbC1wYXRjaGluZwpwYXJzZXJzOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLWxvZ3MKc2NlbmFyaW9zOgotIGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZwYXRjaAo=",
"content": "YXBwc2VjLWNvbmZpZ3M6Ci0gY3Jvd2RzZWN1cml0eS92aXJ0dWFsLXBhdGNoaW5nCi0gY3Jvd2RzZWN1cml0eS9hcHBzZWMtZGVmYXVsdAphcHBzZWMtcnVsZXM6Ci0gY3Jvd2RzZWN1cml0eS9iYXNlLWNvbmZpZwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLWVudi1hY2Nlc3MKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy00MDA0NAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE3LTk4NDEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xMTczOAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTI3OTI2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMzU5MTQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NjE2OQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIwMTk4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjI1MTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zMzYxNwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTM0MzYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUxOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQyNzkzCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNTAxNjQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zODIwNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTI0NDg5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjEtMzEyOQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIxLTIyOTQxCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTktMTI5ODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMi00NDg3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwNTYyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNjU1MwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEwMDA4NjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xMDAzMDMwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjI5NjUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0yMzc1MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTQ5MDcwCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtbGFyYXZlbC1kZWJ1Zy1tb2RlCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMjgxMjEKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMC0xNzQ5NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTEzODkKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy03MDI4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDY4MDUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yMzg5NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIzLTIyNTI3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtMzUwNzgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMy0zNTA4MgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDIyLTIyOTU0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMTIxMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLXN5bWZvbnktcHJvZmlsZXIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1jb25uZWN0d2lzZS1hdXRoLWJ5cGFzcwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTIyMDI0Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjcxOTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtNDU3NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5ODQ5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjMtNDcyMTgKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1naXQtY29uZmlnCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMzIxMTMKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zMjcyCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjgyNTUKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yOTgyNAotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI3MzQ4Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjAtNTkwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDE4LTEzMzc5Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItMjYxMzQKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0zNDEwMgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTI5OTczCi0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjItNDEwODIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAxOS0xODkzNQotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTgxOTAKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yODk4NwotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTM4ODU2Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMTgtMjAwNjIKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyMS0yNjA4NgotIGNyb3dkc2VjdXJpdHkvdnBhdGNoLUNWRS0yMDI0LTUxNTY3Ci0gY3Jvd2RzZWN1cml0eS92cGF0Y2gtQ1ZFLTIwMjQtMjc5NTYKLSBjcm93ZHNlY3VyaXR5L3ZwYXRjaC1DVkUtMjAyNC0yNzk1NAphdXRob3I6IGNyb3dkc2VjdXJpdHkKY29udGV4dHM6Ci0gY3Jvd2RzZWN1cml0eS9hcHBzZWNfYmFzZQpkZXNjcmlwdGlvbjogYSBnZW5lcmljIHZpcnR1YWwgcGF0Y2hpbmcgY29sbGVjdGlvbiwgc3VpdGFibGUgZm9yIG1vc3Qgd2ViIHNlcnZlcnMuCm5hbWU6IGNyb3dkc2VjdXJpdHkvYXBwc2VjLXZpcnR1YWwtcGF0Y2hpbmcKcGFyc2VyczoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy1sb2dzCnNjZW5hcmlvczoKLSBjcm93ZHNlY3VyaXR5L2FwcHNlYy12cGF0Y2gK",
"description": "a generic virtual patching collection, suitable for most web servers.",
"author": "crowdsecurity",
"labels": null,
Expand Down Expand Up @@ -3625,7 +3687,9 @@
"crowdsecurity/vpatch-CVE-2024-38856",
"crowdsecurity/vpatch-CVE-2018-20062",
"crowdsecurity/vpatch-CVE-2021-26086",
"crowdsecurity/vpatch-CVE-2024-51567"
"crowdsecurity/vpatch-CVE-2024-51567",
"crowdsecurity/vpatch-CVE-2024-27956",
"crowdsecurity/vpatch-CVE-2024-27954"
],
"appsec-configs": [
"crowdsecurity/virtual-patching",
Expand Down
39 changes: 39 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-27954.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
name: crowdsecurity/vpatch-CVE-2024-27954
description: "WP Automatic - Path Traversal (CVE-2024-27954)"
rules:
- and:
- zones:
- METHOD
match:
type: equals
value: GET
- zones:
- ARGS
variables:
- wp_automatic
transform:
- lowercase
match:
type: equals
value: "download"
- zones:
- ARGS
variables:
- link
transform:
- lowercase
match:
type: startsWith
value: "file://"
labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: "WP Automatic - Path Traversal"
classification:
- cve.CVE-2024-27954
- attack.T1595
- attack.T1190
- cwe.CWE-22
36 changes: 36 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-27956.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@

name: crowdsecurity/vpatch-CVE-2024-27956
description: "WordPress Automatic Plugin - SQLi (CVE-2024-27956)"
rules:
- and:
- zones:
- METHOD
match:
type: equals
value: POST
- zones:
- URI
transform:
- lowercase
match:
type: endsWith
value: /wp-content/plugins/wp-automatic/inc/csv.php
- zones:
- BODY_ARGS
variables:
- auth
match:
type: contains
value: "\x00"
labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: "http:exploit"
label: "WordPress Automatic Plugin - SQLi"
classification:
- cve.CVE-2024-27956
- attack.T1595
- attack.T1190
- cwe.CWE-502
2 changes: 2 additions & 0 deletions collections/crowdsecurity/appsec-virtual-patching.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,8 @@ appsec-rules:
- crowdsecurity/vpatch-CVE-2018-20062
- crowdsecurity/vpatch-CVE-2021-26086
- crowdsecurity/vpatch-CVE-2024-51567
- crowdsecurity/vpatch-CVE-2024-27956
- crowdsecurity/vpatch-CVE-2024-27954
author: crowdsecurity
contexts:
- crowdsecurity/appsec_base
Expand Down
44 changes: 44 additions & 0 deletions taxonomy/scenarios.json
Original file line number Diff line number Diff line change
Expand Up @@ -1311,6 +1311,50 @@
"CWE-77"
]
},
"crowdsecurity/vpatch-CVE-2024-27954": {
"name": "crowdsecurity/vpatch-CVE-2024-27954",
"description": "WP Automatic - Path Traversal (CVE-2024-27954)",
"label": "WP Automatic - Path Traversal",
"behaviors": [
"http:exploit"
],
"mitre_attacks": [
"TA0043:T1595",
"TA0001:T1190"
],
"confidence": 3,
"spoofable": 0,
"cti": true,
"service": "http",
"cves": [
"CVE-2024-27954"
],
"cwes": [
"CWE-22"
]
},
"crowdsecurity/vpatch-CVE-2024-27956": {
"name": "crowdsecurity/vpatch-CVE-2024-27956",
"description": "WordPress Automatic Plugin - SQLi (CVE-2024-27956)",
"label": "WordPress Automatic Plugin - SQLi",
"behaviors": [
"http:exploit"
],
"mitre_attacks": [
"TA0043:T1595",
"TA0001:T1190"
],
"confidence": 3,
"spoofable": 0,
"cti": true,
"service": "http",
"cves": [
"CVE-2024-27956"
],
"cwes": [
"CWE-502"
]
},
"crowdsecurity/vpatch-CVE-2024-28255": {
"name": "crowdsecurity/vpatch-CVE-2024-28255",
"description": "OpenMetadata - Authentication Bypass (CVE-2024-28255)",
Expand Down

0 comments on commit 390a0b3

Please sign in to comment.