Vulnerability details:

Type: Oracle WebLogic Server product of Oracle Fusion Middleware
Score: 9.80 Critical
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2551
- https://github.com/hktalent/CVE-2020-2551

The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, Oracle WebLogic Server product of Oracle Fusion Middleware
Please let me know if this is in scope as I've already made the development.

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-22214: Gitlab SSRF.

Vulnerability details:

Type: Unauthenticated Gitlab SSRF - CI Lint API
Score: 8.60 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Gitlab is widely used in CICD pipeline

Please let me know if this is in scope as I've already made the development .

Implement by wrapping https://github.com/rbsec/sslscan or https://github.com/nabla-c0d3/sslyze ?

Hello,

I would like to start the implementation for a plugin that detects CVE-2020-17519 Apache Flink REST API File Inclusion (LFI)

Vulnerability details:

Type: Apache Flink REST API File Inclusion (LFI)
Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17519
• https://nvd.nist.gov/vuln/detail/CVE-2020-17519

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Microsoft Exchange server is widely used more than 500+ Instance are exposed in shodan

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects PHP 8.1.0-dev User-Agentt Backdoor

Vulnerability details:

Type: PHP 8.1.0-dev User-Agentt Backdoor
Score: 9.80 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

• https://news-web.php.net/php.internals/113838
• php/php-src@c730aa2
• php/php-src@2b0f239

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, PHP server is widely used more than 6993K+ Instance are exposed in shodan

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation a for web application fingerprint that detects the following software - Confluence.

Docker hub image: https://hub.docker.com/r/atlassian/confluence

Hello,

I would like to start the implementation for a plugin that detects CVE-2020-16846 SaltStack Shell Injection

Vulnerability details:

Type: SaltStack Shell Injection
Score: 9.80 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
- https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes,

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-22025

The vulnerability should be relatively new and have already been patched. https://www.vmware.com/security/advisories/VMSA-2021-0018.html
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerability should have a relatively large impact radius. VMware vRealize Operations
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.

Vulnerability details:

Type: Springboot Heapdump Actuator Expose
Score: High
References:
-https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785

The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, springboot
Please let me know if this is in scope as I've already made the development.

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-26855 Exchange Server SSRF Vulnerability.

Vulnerability details:

Type: Exchange Server SSRF Vulnerability
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Microsoft Exchange is widely used ( shodan Instance 232,165)

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2020-5902 F5 BIG-IP TMUI RCE

Vulnerability details:

Type: F5 BIG-IP TMUI RCE
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
- http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html
- http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html
- https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
- https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
- https://support.f5.com/csp/article/K52145254
- https://swarm.ptsecurity.com/rce-in-f5-big-ip/
- https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
- https://www.kb.cert.org/vuls/id/290915

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes,

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-22005 VMware vCenter Server file upload .

Vulnerability details:

Type: VMware vCenter Server file upload vulnerability
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://kb.vmware.com/s/article/85717
- https://www.vmware.com/security/advisories/VMSA-2021-0020.html
- https://core.vmware.com/vmsa-2021-0020-questions-answers-faq

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Vmware vCenter is widely used

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2020-17496

• The vulnerability should be relatively new and have already been patched. https://forum.vbulletin.com/forum/vbulletin-announcements/vbulletin-announcements_aa/4445227-vbulletin-5-6-0-5-6-1-5-6-2-security-patch
• The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• The vulnerability should have a relatively large impact radius. vBulletin 5.5.4 through 5.6.2
• The vulnerability should be remotely exploitable without authentication and user interaction. Yes.

Please let me know if this is in scope to start with its development.

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-29200

The vulnerability should be relatively new and have already been patched. https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097@%3Cuser.ofbiz.apache.org%3E
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerability should have a relatively large impact radius. Apache OFBiz
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-28169 Jetty Utility Servlets Information Disclosure

Vulnerability details:

Type: CVE-2021-28169 Jetty Utility Servlets Information Disclosure
Score: 5.30 Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
- https://twitter.com/sec715/status/1406787963569065988
- https://nvd.nist.gov/vuln/detail/CVE-2021-28169

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Jetty is widely used

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-21307.

Vulnerability details:

• Type: Unauthenticated Remote Code Execution (RCE)

• Score: 9.8 CRITICAL

• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

• References:

  • https://nvd.nist.gov/vuln/detail/CVE-2021-21307

• The vulnerability should be remotely exploitable without authentication and user interaction. Yes

• The detector should provide a reliable false-positive free detection report. Yes

• The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes

• The vulnerability should have a relatively large impact radius. Yes, 500k + pulls on docker hub

Previous working build on jre-openjdk-15.0.3.u3:
https://github.com/aminvakil/aur/runs/2835117627?check_suite_focus=true

Failed build with new jre-openjdk-16.0.1.u9:
https://github.com/aminvakil/aur/runs/2845112253?check_suite_focus=true

Read from:

> startup failed:
  General error during semantic analysis: Unsupported class file major version 60

Hello,

I would like to start the implementation for a plugin that detects CVE-2020-3452 Cisco Adaptive Security Appliance Path Traversal

Vulnerability details:

Type: Cisco Adaptive Security Appliance Path Traversal
Score: 7.50 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
- https://twitter.com/aboul3la/status/1286012324722155525
- http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html
- http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html
- http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html
- http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes,

Please let me know if this is in scope as I've already made the development .

Hi.
When using this program, it gives you a message

""status Message": "Failed plugins:\n/Tsunami Team ([email protected])/VULN_DETECTION/NcrackWeakCredentialDetectorPlugin/0.1"

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-34429 Jetty Authorization Before Parsing and Canonicalization Variation

Vulnerability details:

Type: CVE-2021-34429 Jetty Authorization Before Parsing and Canonicalization Variation
Score: 5.30 Medium
Vector:
References:
- GHSA-vjv5-gp2w-65vm

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Jetty is widely used

Please let me know if this is in scope as I've already made the development .

Vulnerability details:

Type: Woocommerce SQL Injection
References:
- https://patchstack.com/woocommerce-sql-injection-vulnerability/
- https://www.kroll.com/en/insights/publications/cyber/critical-sql-injection-vulnerability-patched-woocommerce

The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, Woocommerce
Please let me know if this is in scope as I've already made the development.

Vulnerability details:

Type: Kong Admin Rest API Unauth
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

• https://meterpreter.org/cve-2020-11710-kong-api-gateway-unauthorized-vulnerability-alert/

The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, Kong API Gateway
Please let me know if this is in scope as I've already made the development.

The plugins should use the filtering annotation described in https://github.com/google/tsunami-security-scanner/blob/master/docs/howto.md#filter_plugins or is this deprecated and the mapping between service type and plugin is not used anymore?

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-28164 Jetty Authorization Before Parsing and Canonicalization.

Vulnerability details:

Type: CVE-2021-28164 Jetty Authorization Before Parsing and Canonicalization
Score: 5.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
- GHSA-v7ff-8wcx-gmc5
- https://github.com/vulhub/vulhub/tree/1239bca12c75630bb2033b728140ed5224dcc6d8/jetty

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Jetty is widely used

Please let me know if this is in scope as I've already made the development .

CVE-2020-1350 is a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. It seems to align with the goals and philosophy of the project.

I have been playing with tsunami, and I noticed the configuration files for the nmap scanner only support the path of the binary and list of ports.

Is there any way of passing additional arguments to the nmap binary, like the ones you would used in a cli ?

Hello,

I would like to start the implementation for a plugin that detects Django Debug Method Enabled

Vulnerability details:

Type: Django Debug Method Enabled
Score: 5.0 Medium

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes,

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2020-9402 Django SQL Injection

Vulnerability details:

Type: CVE-2020-9402 Django SQL Injection
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
- https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://nvd.nist.gov/vuln/detail/CVE-2020-9402

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes,

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-2394

The vulnerability should be relatively new and have already been patched. https://www.oracle.com/security-alerts/cpujul2021.html
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerability should have a relatively large impact radius. Oracle WebLogic Server
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.

Vulnerability details:

Type: Unauthenticated PHPMyAdmin leads to exposure of sensitive information
Score: High
References:

• https://www.exploit-db.com/ghdb/6997

The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, phpMyAdmin
Please let me know if this is in scope as I've already made the development.

Hello,

I would like to start the implementation for a plugin that detects CVE-2020-14882

• The vulnerability should be relatively new and have already been patched. https://www.oracle.com/security-alerts/cpuoct2020traditional.html
• The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• The vulnerability should have a relatively large impact radius. Oracle WebLogic Server
• The vulnerability should be remotely exploitable without authentication and user interaction. Yes.

Please let me know if this is in scope to start with its development.

Vulnerability details:

Type: Docker Misconfiguration
Score: High
References:
- https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html
- Other endpoints /.dockercfg,/.docker/config.json

The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, Docker
Please let me know if this is in scope as I've already made the development.

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-26084

• The vulnerability should be relatively new and have already been patched. https://jira.atlassian.com/browse/CONFSERVER-67940
• The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• The vulnerability should have a relatively large impact radius. Confluence is actively used by organizations
• The vulnerability should be remotely exploitable without authentication and user interaction. Yes.

Please let me know if this is in scope to start with its development.

Hello,

I would like to start the implementation for a plugin that detects CVE 2020-3187 unauthenticated arbitrary file deletion in Cisco ASA/FTD

Vulnerability details:

Type: Cisco ASA/FTD
Score: 9.1 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References:

http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using vulnerable, Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes,

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-35464.

Vulnerability details:

• Type: Pre-Auth Java Deserialization Remote Code Execution (RCE)
• Score: 9.8 CRITICAL
• Vector: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
• References:
  • https://portswigger.net/research/pre-auth-rce-in-forgerock-openam-cve-2021-35464
  • https://nvd.nist.gov/vuln/detail/CVE-2021-35464

Please let me know if this is in scope as I've already started the development 😸.

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-21985

The vulnerability should be relatively new and have already been patched. https://www.vmware.com/security/advisories/VMSA-2021-0010.html
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerability should have a relatively large impact radius. vmware vcenter
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.

Hello,

I would like to start the implementation for a plugin that detects CVE-2020-1938 Aapache Tomcat AJP Arbitrary File Read / Include Vulnerability

Vulnerability details:

Type: Aapache Tomcat AJP Arbitrary File Read / Include Vulnerability
Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
http://support.blackberry.com/kb/articleDetail?articleNumber=000062739
https://nvd.nist.gov/vuln/detail/CVE-2020-1938

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Tomcat Server is widely used more than 1851k+ Instance are exposed in shodan

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-29622 Prometheus Open Redirect.

Vulnerability details:

Type: CVE-2021-29622 Prometheus Open Redirect
Score: 6.10 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- GHSA-vx57-7f4q-fpc7

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Prometheus is widely used in the Internet

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2019-3396 Confluence Unauthorized RCE Vulnerability.

Vulnerability details:

Type: CVE-2019-3396 Confluence Unauthorized RCE Vulnerability
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

• https://nvd.nist.gov/vuln/detail/cve-2019-3396
• http://packetstormsecurity.com/files/152568/Atlassian-Confluence-Widget-Connector-Macro-Velocity-Template-Injection.html
• http://packetstormsecurity.com/files/161065/Atlassian-Confluence-6.12.1-Template-Injection.html
• http://www.rapid7.com/db/modules/exploit/multi/http/confluence_widget_connector
• https://jira.atlassian.com/browse/CONFSERVER-57974

The vulnerability should be remotely exploitable without authentication and user interaction: Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes

Please let me know if this is in scope to start with its development.

The nmap plugin switched to a custom XML report parser from this commit. However, I noticed in certain cases where HTTPS was the actual service, nmap returned a result like this:

<service name="http" tunnel="ssl" method="probed" conf="10"/>

Even though the service name is http, the tunnel is ssl, so https would be a more appropriate tag. However, the parser simply takes the service name without further checks, causing requests to be sent to http://<HOST>:443/. Most servers reject such a request since SSL is required, leading to unexpected end of stream errors.

I've also noticed non-default HTTPS ports being wrongly interpreted as FTP or SSH. Perhaps the team could look into reverting back to the nmap plugin to parse results in the meantime while working on improving the XML parser.

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-25281 - SaltStack wheel_async unauth access

Vulnerability details:

Type: CVE-2021-25281 - SaltStack wheel_async unauth access
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://hackdig.com/02/hack-283902.htm

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes,

Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-26084 Confluence Server Webwork Pre-Auth OGNL Injection

Vulnerability details:

Type: Confluence Server Webwork Pre-Auth OGNL Injection
Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:

https://nvd.nist.gov/vuln/detail/CVE-2021-26084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084
http://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html |
http://packetstormsecurity.com/files/164122/Atlassian-Confluence-WebWork-OGNL-Injection.html | Exploit  Third Party
https://jira.atlassian.com/browse/CONFSERVER-67940

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Confluence Server is widely used more than 10000+ Instance are exposed in shodan

Please let me know if this is in scope as I've already made the development .

Hello, we tried to build a testbed for testing the functionality of the tsunami-scanner.
We loaded Ubuntu 20.04.1 LTS on a VMware, where we installed the tsunami-security-scanner according to the instructions (Quick Start from tsunami-scanner-read-me page). We then deployed different docker containers on a server with images for the Jupyter notebook, Wordpress, and Jenkins.

docker run --name unauthenticated-jupyter-notebook -p 8888:8888 -d jupyter/base-notebook start-notebook.sh --NotebookApp.token=''
docker run -p 8443:8080 -p 50000:50000 jenkins
docker-compose up # with attached docker file

All systems were configured in a vulnerable state and should be recognized.
The scan for the jupyter notebook runs without any problems but when we scanned the wordpress or the jenkins we get an error message.
The important console output logline from the error message for Wordpress and Jenkins read as follows:

Sep 17, 2020 1:57:40 PM com.google.tsunami.plugin.PluginExecutorImpl buildFailedResult
WARNUNG: Plugin '/Tsunami Team ([email protected])/VULN_DETECTION/WordPressInstallPageDetector/0.1' failed.

Sep. 16, 2020 3:14:50 NACHM. com.google.tsunami.plugin.PluginExecutorImpl buildFailedResult
WARNUNG: Plugin '/Tsunami Team ([email protected])/VULN_DETECTION/JenkinsExposedUiDetector/0.1' failed.

Then we tried to debug the code from WordPressInstallPageDetector.java and JenkinsExposedUiDetector.java by adding additional log lines and exception handling to pinpoint the problem. Here's the example for the Wordpress plugin:

  private static boolean responseHasSetupForm(String responseBody) {
    logger.atInfo().log("[WP] trying to determine if responseHasSetupForm");
    try {
        logger.atInfo().log("[WP] getting installationForm");
        logger.atInfo().log("[WP] responseBody: "+ responseBody);

        Elements installationForm = Jsoup.parse(responseBody).select("form#setup");
        logger.atInfo().log("[WP] got installationForm object. Checking if empty");
        if (installationForm.isEmpty()) {
          logger.atInfo().log("WordPress has already been installed.");
          return false;
        } else {
          logger.atInfo().log("Found unfinished WordPress installation!");
          return true;
        }
    }
    catch(Exception e){
        logger.atInfo().log("[WP] an exception got thrown in responseHasSetupForm");
        logger.atInfo().log("[WP] " + e.getMessage());
        throw e;
    }
  }

The last logline that we could get from the Wordpress code was in the responseHasSetupForm method right before the Jsoup.parse.

Neither the following line, nor the exception were logged, hence we conclude that this is a hard crash of Jsoup, at which point we stopped debugging. The exact same behavior was seen in the Jenkins plugin.

The Java version that we had used was:

openjdk version "1.8.0_265"
OpenJDK Runtime Environment (build 1.8.0_265-8u265-b01-0ubuntu2~20.04-b01)
OpenJDK 64-Bit Server VM (build 25.265-b01, mixed mode)

composefile.txt
scannoutput.txt
JSONoutput.log

Algorithm of plugin:

1. Check is match by port and service name.
2. Start container with echo through HTTP request, read response. (like: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py)

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-21234

The vulnerability should be relatively new and have already been patched. GHSA-p4q6-qxjx-8jgp
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
The vulnerability should have a relatively large impact radius. spring boot actuator logview
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.

Hello,

I would like to start the implementation for a plugin that detects CVE-2019-17558 Apache Solr Remote Code Execution Via Velocity Custom Template

Vulnerability details:

Type: Apache Solr Remote Code Execution Via Velocity Custom Template
Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References:

https://nvd.nist.gov/vuln/detail/CVE-2019-17558
https://issues.apache.org/jira/browse/SOLR-13971
https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
https://github.com/jas502n/solr_rce

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Apache Solr Server is widely used more than 188k+ Instance are exposed in fofa
Please let me know if this is in scope as I've already made the development .

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-34473 Exchange Server SSRF (ProxyShell)

Vulnerability details:

Type: Exchange Server SSRF (ProxyShell)
Score: 9.80 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes, Microsoft Exchange server is widely used more than 200K+ Instance are exposed in shodan

Please let me know if this is in scope as I've already made the development .

@GovTech-CSG I am attempting to run the build_all.sh script from within the /tsunami-security-scanner-plugins/govtech directory using "./build_all.sh" (as described in the README) and am getting the following error:

dirname: missing operand Try 'dirname --help' for more information.

While I have not used dirname much, I would guess the issue is with the 2nd instance of dirname, on line 24, since dirname appears to lack an argument there

Let me know if I'm missing something. I have dirname v8.30 on an updated Ubuntu install, in case this is a dirname version issue.

Hello,

I would like to start the implementation for a plugin that detects CVE-2021-28918 Netmask NPM Package SSRF

Vulnerability details:

Type: Netmask NPM Package SSRF
Score: 9.10 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References:
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
- GHSA-pch5-whg9-qr2r

The vulnerability should be remotely exploitable without authentication and user interaction. Yes

The detector should provide a reliable false-positive free detection report. Yes

The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.

The vulnerability should have a relatively large impact radius. Yes,

Please let me know if this is in scope as I've already made the development .