google / tsunami-security-scanner-plugins Goto Github PK
View Code? Open in Web Editor NEWThis project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
License: Apache License 2.0
This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
License: Apache License 2.0
Vulnerability details:
Type: Docker Misconfiguration
Score: High
References:
- https://madhuakula.com/content/attacking-and-auditing-docker-containers-using-opensource/attacking-docker-containers/misconfiguration.html
- Other endpoints /.dockercfg,/.docker/config.json
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, Docker
Please let me know if this is in scope as I've already made the development.
Hello, we tried to build a testbed for testing the functionality of the tsunami-scanner.
We loaded Ubuntu 20.04.1 LTS on a VMware, where we installed the tsunami-security-scanner according to the instructions (Quick Start from tsunami-scanner-read-me page). We then deployed different docker containers on a server with images for the Jupyter notebook, Wordpress, and Jenkins.
docker run --name unauthenticated-jupyter-notebook -p 8888:8888 -d jupyter/base-notebook start-notebook.sh --NotebookApp.token=''
docker run -p 8443:8080 -p 50000:50000 jenkins
docker-compose up # with attached docker file
All systems were configured in a vulnerable state and should be recognized.
The scan for the jupyter notebook runs without any problems but when we scanned the wordpress or the jenkins we get an error message.
The important console output logline from the error message for Wordpress and Jenkins read as follows:
Sep 17, 2020 1:57:40 PM com.google.tsunami.plugin.PluginExecutorImpl buildFailedResult
WARNUNG: Plugin '/Tsunami Team ([email protected])/VULN_DETECTION/WordPressInstallPageDetector/0.1' failed.
Sep. 16, 2020 3:14:50 NACHM. com.google.tsunami.plugin.PluginExecutorImpl buildFailedResult
WARNUNG: Plugin '/Tsunami Team ([email protected])/VULN_DETECTION/JenkinsExposedUiDetector/0.1' failed.
Then we tried to debug the code from WordPressInstallPageDetector.java
and JenkinsExposedUiDetector.java
by adding additional log lines and exception handling to pinpoint the problem. Here's the example for the Wordpress plugin:
private static boolean responseHasSetupForm(String responseBody) {
logger.atInfo().log("[WP] trying to determine if responseHasSetupForm");
try {
logger.atInfo().log("[WP] getting installationForm");
logger.atInfo().log("[WP] responseBody: "+ responseBody);
Elements installationForm = Jsoup.parse(responseBody).select("form#setup");
logger.atInfo().log("[WP] got installationForm object. Checking if empty");
if (installationForm.isEmpty()) {
logger.atInfo().log("WordPress has already been installed.");
return false;
} else {
logger.atInfo().log("Found unfinished WordPress installation!");
return true;
}
}
catch(Exception e){
logger.atInfo().log("[WP] an exception got thrown in responseHasSetupForm");
logger.atInfo().log("[WP] " + e.getMessage());
throw e;
}
}
The last logline that we could get from the Wordpress code was in the responseHasSetupForm
method right before the Jsoup.parse
.
Neither the following line, nor the exception were logged, hence we conclude that this is a hard crash of Jsoup
, at which point we stopped debugging. The exact same behavior was seen in the Jenkins plugin.
The Java version that we had used was:
openjdk version "1.8.0_265"
OpenJDK Runtime Environment (build 1.8.0_265-8u265-b01-0ubuntu2~20.04-b01)
OpenJDK 64-Bit Server VM (build 25.265-b01, mixed mode)
Hello,
I would like to start the implementation for a plugin that detects CVE-2020-16846 SaltStack Shell Injection
Vulnerability details:
Type: SaltStack Shell Injection
Score: 9.80 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://mp.weixin.qq.com/s/R8qw_lWizGyeJS0jOcYXag
- https://github.com/vulhub/vulhub/tree/master/saltstack/CVE-2020-16846
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes,
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-34429 Jetty Authorization Before Parsing and Canonicalization Variation
Vulnerability details:
Type: CVE-2021-34429 Jetty Authorization Before Parsing and Canonicalization Variation
Score: 5.30 Medium
Vector:
References:
- GHSA-vjv5-gp2w-65vm
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Jetty is widely used
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2020-17496
Please let me know if this is in scope to start with its development.
Previous working build on jre-openjdk-15.0.3.u3:
https://github.com/aminvakil/aur/runs/2835117627?check_suite_focus=true
Failed build with new jre-openjdk-16.0.1.u9:
https://github.com/aminvakil/aur/runs/2845112253?check_suite_focus=true
Read from:
> startup failed:
General error during semantic analysis: Unsupported class file major version 60
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-28164 Jetty Authorization Before Parsing and Canonicalization.
Vulnerability details:
Type: CVE-2021-28164 Jetty Authorization Before Parsing and Canonicalization
Score: 5.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
- GHSA-v7ff-8wcx-gmc5
- https://github.com/vulhub/vulhub/tree/1239bca12c75630bb2033b728140ed5224dcc6d8/jetty
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Jetty is widely used
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects Django Debug Method Enabled
Vulnerability details:
Type: Django Debug Method Enabled
Score: 5.0 Medium
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes,
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2020-5902 F5 BIG-IP TMUI RCE
Vulnerability details:
Type: F5 BIG-IP TMUI RCE
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://packetstormsecurity.com/files/158333/BIG-IP-TMUI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158334/BIG-IP-TMUI-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/158366/F5-BIG-IP-TMUI-Directory-Traversal-File-Upload-Code-Execution.html
- http://packetstormsecurity.com/files/158414/Checker-CVE-2020-5902.html
- http://packetstormsecurity.com/files/158581/F5-Big-IP-13.1.3-Build-0.0.6-Local-File-Inclusion.html
- https://badpackets.net/over-3000-f5-big-ip-endpoints-vulnerable-to-cve-2020-5902/
- https://github.com/Critical-Start/Team-Ares/tree/master/CVE-2020-5902
- https://support.f5.com/csp/article/K52145254
- https://swarm.ptsecurity.com/rce-in-f5-big-ip/
- https://www.criticalstart.com/f5-big-ip-remote-code-execution-exploit/
- https://www.kb.cert.org/vuls/id/290915
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes,
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2020-9402 Django SQL Injection
Vulnerability details:
Type: CVE-2020-9402 Django SQL Injection
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
- https://github.com/vulhub/vulhub/tree/master/django/CVE-2020-9402
- https://docs.djangoproject.com/en/3.0/releases/security/
- https://nvd.nist.gov/vuln/detail/CVE-2020-9402
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes,
Please let me know if this is in scope as I've already made the development .
@GovTech-CSG I am attempting to run the build_all.sh script from within the /tsunami-security-scanner-plugins/govtech directory using "./build_all.sh" (as described in the README) and am getting the following error:
dirname: missing operand Try 'dirname --help' for more information.
While I have not used dirname much, I would guess the issue is with the 2nd instance of dirname, on line 24, since dirname appears to lack an argument there
Let me know if I'm missing something. I have dirname v8.30 on an updated Ubuntu install, in case this is a dirname version issue.
Hello,
I would like to start the implementation for a plugin that detects CVE-2020-17519 Apache Flink REST API File Inclusion (LFI)
Vulnerability details:
Type: Apache Flink REST API File Inclusion (LFI)
Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Microsoft Exchange server is widely used more than 500+ Instance are exposed in shodan
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2020-1938 Aapache Tomcat AJP Arbitrary File Read / Include Vulnerability
Vulnerability details:
Type: Aapache Tomcat AJP Arbitrary File Read / Include Vulnerability
Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
http://support.blackberry.com/kb/articleDetail?articleNumber=000062739
https://nvd.nist.gov/vuln/detail/CVE-2020-1938
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Tomcat Server is widely used more than 1851k+ Instance are exposed in shodan
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-28169 Jetty Utility Servlets Information Disclosure
Vulnerability details:
Type: CVE-2021-28169 Jetty Utility Servlets Information Disclosure
Score: 5.30 Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References:
- https://twitter.com/sec715/status/1406787963569065988
- https://nvd.nist.gov/vuln/detail/CVE-2021-28169
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Jetty is widely used
Please let me know if this is in scope as I've already made the development .
Algorithm of plugin:
Hello,
I would like to start the implementation for a plugin that detects CVE-2019-17558 Apache Solr Remote Code Execution Via Velocity Custom Template
Vulnerability details:
Type: Apache Solr Remote Code Execution Via Velocity Custom Template
Score: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
https://nvd.nist.gov/vuln/detail/CVE-2019-17558
https://issues.apache.org/jira/browse/SOLR-13971
https://gist.github.com/s00py/a1ba36a3689fa13759ff910e179fc133
https://github.com/jas502n/solr_rce
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Apache Solr Server is widely used more than 188k+ Instance are exposed in fofa
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-28918 Netmask NPM Package SSRF
Vulnerability details:
Type: Netmask NPM Package SSRF
Score: 9.10 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References:
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
- GHSA-pch5-whg9-qr2r
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes,
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2019-3396 Confluence Unauthorized RCE Vulnerability.
Vulnerability details:
Type: CVE-2019-3396 Confluence Unauthorized RCE Vulnerability
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
The vulnerability should be remotely exploitable without authentication and user interaction: Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes
Please let me know if this is in scope to start with its development.
Hi.
When using this program, it gives you a message
""status Message": "Failed plugins:\n/Tsunami Team ([email protected])/VULN_DETECTION/NcrackWeakCredentialDetectorPlugin/0.1"
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-22214: Gitlab SSRF.
Vulnerability details:
Type: Unauthenticated Gitlab SSRF - CI Lint API
Score: 8.60 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-22214
- https://vin01.github.io/piptagole/gitlab/ssrf/security/2021/06/15/gitlab-ssrf.html
- https://docs.gitlab.com/ee/api/lint.html
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Gitlab is widely used in CICD pipeline
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-22025
The vulnerability should be relatively new and have already been patched. https://www.vmware.com/security/advisories/VMSA-2021-0018.html
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerability should have a relatively large impact radius. VMware vRealize Operations
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.
Implement by wrapping https://github.com/rbsec/sslscan or https://github.com/nabla-c0d3/sslyze ?
Hello,
I would like to start the implementation a for web application fingerprint that detects the following software - Confluence.
Docker hub image: https://hub.docker.com/r/atlassian/confluence
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-26084 Confluence Server Webwork Pre-Auth OGNL Injection
Vulnerability details:
Type: Confluence Server Webwork Pre-Auth OGNL Injection
Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-26084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26084
http://packetstormsecurity.com/files/164013/Confluence-Server-7.12.4-OGNL-Injection-Remote-Code-Execution.html |
http://packetstormsecurity.com/files/164122/Atlassian-Confluence-WebWork-OGNL-Injection.html | Exploit Third Party
https://jira.atlassian.com/browse/CONFSERVER-67940
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Confluence Server is widely used more than 10000+ Instance are exposed in shodan
Please let me know if this is in scope as I've already made the development .
I have been playing with tsunami, and I noticed the configuration files for the nmap scanner only support the path of the binary and list of ports.
Is there any way of passing additional arguments to the nmap binary, like the ones you would used in a cli ?
Hello,
I would like to start the implementation for a plugin that detects CVE-2020-14882
Please let me know if this is in scope to start with its development.
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-2394
The vulnerability should be relatively new and have already been patched. https://www.oracle.com/security-alerts/cpujul2021.html
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerability should have a relatively large impact radius. Oracle WebLogic Server
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.
Hello,
I would like to start the implementation for a plugin that detects PHP 8.1.0-dev User-Agentt Backdoor
Vulnerability details:
Type: PHP 8.1.0-dev User-Agentt Backdoor
Score: 9.80 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, PHP server is widely used more than 6993K+ Instance are exposed in shodan
Please let me know if this is in scope as I've already made the development .
Vulnerability details:
Type: Woocommerce SQL Injection
References:
- https://patchstack.com/woocommerce-sql-injection-vulnerability/
- https://www.kroll.com/en/insights/publications/cyber/critical-sql-injection-vulnerability-patched-woocommerce
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, Woocommerce
Please let me know if this is in scope as I've already made the development.
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-21234
The vulnerability should be relatively new and have already been patched. GHSA-p4q6-qxjx-8jgp
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
The vulnerability should have a relatively large impact radius. spring boot actuator logview
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-22005 VMware vCenter Server file upload .
Vulnerability details:
Type: VMware vCenter Server file upload vulnerability
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://kb.vmware.com/s/article/85717
- https://www.vmware.com/security/advisories/VMSA-2021-0020.html
- https://core.vmware.com/vmsa-2021-0020-questions-answers-faq
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Vmware vCenter is widely used
Please let me know if this is in scope as I've already made the development .
Vulnerability details:
Type: Unauthenticated PHPMyAdmin leads to exposure of sensitive information
Score: High
References:
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, phpMyAdmin
Please let me know if this is in scope as I've already made the development.
Hello,
I would like to start the implementation for a plugin that detects CVE 2020-3187 unauthenticated arbitrary file deletion in Cisco ASA/FTD
Vulnerability details:
Type: Cisco ASA/FTD
Score: 9.1 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References:
http://packetstormsecurity.com/files/158648/Cisco-Adaptive-Security-Appliance-Software-9.7-Arbitrary-File-Deletion.html
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-path-JE3azWw43
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using vulnerable, Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes,
Please let me know if this is in scope as I've already made the development .
The nmap plugin switched to a custom XML report parser from this commit. However, I noticed in certain cases where HTTPS was the actual service, nmap returned a result like this:
<service name="http" tunnel="ssl" method="probed" conf="10"/>
Even though the service name is http
, the tunnel is ssl
, so https
would be a more appropriate tag. However, the parser simply takes the service name without further checks, causing requests to be sent to http://<HOST>:443/
. Most servers reject such a request since SSL is required, leading to unexpected end of stream
errors.
I've also noticed non-default HTTPS ports being wrongly interpreted as FTP or SSH. Perhaps the team could look into reverting back to the nmap plugin to parse results in the meantime while working on improving the XML parser.
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-35464.
Vulnerability details:
Please let me know if this is in scope as I've already started the development 😸.
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-21985
The vulnerability should be relatively new and have already been patched. https://www.vmware.com/security/advisories/VMSA-2021-0010.html
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerability should have a relatively large impact radius. vmware vcenter
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.
CVE-2020-1350 is a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. It seems to align with the goals and philosophy of the project.
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-34473 Exchange Server SSRF (ProxyShell)
Vulnerability details:
Type: Exchange Server SSRF (ProxyShell)
Score: 9.80 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
- https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Microsoft Exchange server is widely used more than 200K+ Instance are exposed in shodan
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-26855 Exchange Server SSRF Vulnerability.
Vulnerability details:
Type: Exchange Server SSRF Vulnerability
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://proxylogon.com/#timeline
- https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/http-vuln-cve2021-26855.nse
- https://www.shodan.io/search?query=vuln%3ACVE-2021-26855
- https://gist.github.com/testanull/324546bffab2fe4916d0f9d1f03ffa09
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Microsoft Exchange is widely used ( shodan Instance 232,165)
Please let me know if this is in scope as I've already made the development .
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-29622 Prometheus Open Redirect.
Vulnerability details:
Type: CVE-2021-29622 Prometheus Open Redirect
Score: 6.10 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References:
- GHSA-vx57-7f4q-fpc7
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes, Prometheus is widely used in the Internet
Please let me know if this is in scope as I've already made the development .
Vulnerability details:
Type: Springboot Heapdump Actuator Expose
Score: High
References:
-https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, springboot
Please let me know if this is in scope as I've already made the development.
Vulnerability details:
Type: Oracle WebLogic Server product of Oracle Fusion Middleware
Score: 9.80 Critical
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2551
- https://github.com/hktalent/CVE-2020-2551
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, Oracle WebLogic Server product of Oracle Fusion Middleware
Please let me know if this is in scope as I've already made the development.
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-26084
Please let me know if this is in scope to start with its development.
Vulnerability details:
Type: Kong Admin Rest API Unauth
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The vulnerability should have a relatively large impact radius. Yes, Kong API Gateway
Please let me know if this is in scope as I've already made the development.
Hello,
I would like to start the implementation for a plugin that detects CVE-2020-3452 Cisco Adaptive Security Appliance Path Traversal
Vulnerability details:
Type: Cisco Adaptive Security Appliance Path Traversal
Score: 7.50 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References:
- https://twitter.com/aboul3la/status/1286012324722155525
- http://packetstormsecurity.com/files/158646/Cisco-ASA-FTD-Remote-File-Disclosure.html
- http://packetstormsecurity.com/files/158647/Cisco-Adaptive-Security-Appliance-Software-9.11-Local-File-Inclusion.html
- http://packetstormsecurity.com/files/159523/Cisco-ASA-FTD-9.6.4.42-Path-Traversal.html
- http://packetstormsecurity.com/files/160497/Cisco-ASA-9.14.1.10-FTD-6.6.0.1-Path-Traversal.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ro-path-KJuQhB86
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes,
Please let me know if this is in scope as I've already made the development .
The plugins should use the filtering annotation described in https://github.com/google/tsunami-security-scanner/blob/master/docs/howto.md#filter_plugins or is this deprecated and the mapping between service type and plugin is not used anymore?
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-29200
The vulnerability should be relatively new and have already been patched. https://lists.apache.org/thread.html/re21d25d9fb89e36cea910633779c23f144b9b60596b113b7bf1e8097@%3Cuser.ofbiz.apache.org%3E
The vulnerability should have a HIGH or CRITICAL severity rating if there is already a CVE ID assigned (CVSS score >= 7.0): CVSS Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
The vulnerability should have a relatively large impact radius. Apache OFBiz
The vulnerability should be remotely exploitable without authentication and user interaction. Yes.
Please let me know if this is in scope to start with its development.
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-21307.
Vulnerability details:
Type: Unauthenticated Remote Code Execution (RCE)
Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes
The vulnerability should have a relatively large impact radius. Yes, 500k + pulls on docker hub
Hello,
I would like to start the implementation for a plugin that detects CVE-2021-25281 - SaltStack wheel_async unauth access
Vulnerability details:
Type: CVE-2021-25281 - SaltStack wheel_async unauth access
Score: 9.80 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://hackdig.com/02/hack-283902.htm
The vulnerability should be remotely exploitable without authentication and user interaction. Yes
The detector should provide a reliable false-positive free detection report. Yes
The detection capability should be easy to verify using both vulnerable and fixed Docker images. Yes, this can be done easily.
The vulnerability should have a relatively large impact radius. Yes,
Please let me know if this is in scope as I've already made the development .
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.