Add vpatch-CVE-2024-21650 rule and test#1484
Add vpatch-CVE-2024-21650 rule and test#1484crowdsec-automation wants to merge 6 commits intomasterfrom
Conversation
|
Hello @crowdsec-automation and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2024-21650 🔴 |
|
Hello @crowdsec-automation, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
|
Hello @blotus and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2023-0600 🔴 |
|
Hello @blotus, Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution! |
3 participants
This rule targets the XWiki user registration endpoint vulnerable to RCE via the "first name" or "last name" fields. The detection logic is as follows:
/bin/register/xwiki/xwikiregister), using bothlowercaseandurldecodetransforms to ensure case-insensitive and encoded/decoded matching.register_first_nameandregister_last_namefields, for the presence of the string{{groovy}}(case-insensitive, URL-decoded). This string is a strong indicator of an attempt to inject Groovy code, which is the vector for RCE in this vulnerability.register_first_namecontaining the Groovy macro, and expects a 403 response to confirm the rule blocks the attack.Validation checklist:
value:fields are lowercase.lowercaseandurldecode.match.valuecontains capital letters.containsfor matching, notregex, as per guidelines.