cve-2024-43405
Vulnerability from cvelistv5
Published
2024-09-04 15:36
Modified
2024-09-04 16:21
Severity ?
7.4 (High) - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Summary
Nuclei is a vulnerability scanner powered by YAML based templates. Starting in version 3.0.0 and prior to version 3.3.2, a vulnerability in Nuclei's template signature verification system could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template. The vulnerability is present in the template signature verification process, specifically in the `signer` package. The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. CLI users are affected if they execute custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories. SDK Users are affected if they are developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users. The vulnerability is addressed in Nuclei v3.3.2. Users are strongly recommended to update to this version to mitigate the security risk. As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed. Those who are unable to upgrade Nuclei should disable running custom code templates as a workaround.
References
security-advisories@github.comhttps://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60aPatch
security-advisories@github.comhttps://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmmMitigation, Third Party Advisory
Impacted products
Vendor Product Version
projectdiscovery nuclei Version: >= 3.0.0, < 3.3.2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:*:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "nuclei",
                  vendor: "projectdiscovery",
                  versions: [
                     {
                        lessThan: "3.3.2",
                        status: "affected",
                        version: "3.0.0",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-43405",
                        options: [
                           {
                              Exploitation: "poc",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "total",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-09-04T16:21:03.366044Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-09-04T16:21:54.357Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               product: "nuclei",
               vendor: "projectdiscovery",
               versions: [
                  {
                     status: "affected",
                     version: ">= 3.0.0, < 3.3.2",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Nuclei is a vulnerability scanner powered by YAML based templates. Starting in version 3.0.0 and prior to version 3.3.2, a vulnerability in Nuclei's template signature verification system could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template. The vulnerability is present in the template signature verification process, specifically in the `signer` package. The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. CLI users are affected if they execute custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories. SDK Users are affected if they are developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users. The vulnerability is addressed in Nuclei v3.3.2. Users are strongly recommended to update to this version to mitigate the security risk. As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed. Those who are unable to upgrade Nuclei should disable running custom code templates as a workaround.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 7.4,
                  baseSeverity: "HIGH",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "HIGH",
                  privilegesRequired: "NONE",
                  scope: "CHANGED",
                  userInteraction: "REQUIRED",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-78",
                     description: "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-09-04T15:36:23.277Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm",
            },
            {
               name: "https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a",
            },
         ],
         source: {
            advisory: "GHSA-7h5p-mmpp-hgmm",
            discovery: "UNKNOWN",
         },
         title: "Nuclei Template Signature Verification Bypass",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-43405",
      datePublished: "2024-09-04T15:36:23.277Z",
      dateReserved: "2024-08-12T18:02:04.966Z",
      dateUpdated: "2024-09-04T16:21:54.357Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-43405\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-09-04T16:15:06.853\",\"lastModified\":\"2024-10-01T15:37:37.337\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nuclei is a vulnerability scanner powered by YAML based templates. Starting in version 3.0.0 and prior to version 3.3.2, a vulnerability in Nuclei's template signature verification system could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template. The vulnerability is present in the template signature verification process, specifically in the `signer` package. The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. CLI users are affected if they execute custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories. SDK Users are affected if they are developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users. The vulnerability is addressed in Nuclei v3.3.2. Users are strongly recommended to update to this version to mitigate the security risk. As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed. Those who are unable to upgrade Nuclei should disable running custom code templates as a workaround.\"},{\"lang\":\"es\",\"value\":\"Nuclei es un escáner de vulnerabilidades que funciona con plantillas basadas en YAML. A partir de la versión 3.0.0 y antes de la versión 3.3.2, una vulnerabilidad en el sistema de verificación de firmas de plantillas de Nuclei podría permitir a un atacante eludir la verificación de firmas y posiblemente ejecutar código malicioso a través de una plantilla de código personalizada. La vulnerabilidad está presente en el proceso de verificación de firmas de plantillas, específicamente en el paquete `signer`. La vulnerabilidad se origina en una discrepancia entre cómo el proceso de verificación de firmas y el analizador YAML manejan los caracteres de nueva línea, combinado con la forma en que se procesan múltiples firmas. Esto permite a un atacante inyectar contenido malicioso en una plantilla mientras mantiene una firma válida para la parte benigna de la plantilla. Los usuarios de CLI se ven afectados si ejecutan plantillas de código personalizadas de fuentes no verificadas. Esto incluye plantillas creadas por terceros u obtenidas de repositorios no verificados. Los usuarios de SDK se ven afectados si son desarrolladores que integran Nuclei en sus plataformas, en particular si permiten la ejecución de plantillas de código personalizadas por parte de los usuarios finales. La vulnerabilidad se soluciona en Nuclei v3.3.2. Se recomienda encarecidamente a los usuarios que actualicen a esta versión para mitigar el riesgo de seguridad. Como medida provisoria, los usuarios deben abstenerse de utilizar plantillas personalizadas si no pueden actualizar de inmediato. Solo se deben ejecutar plantillas verificadas y confiables. Aquellos que no puedan actualizar Nuclei deben deshabilitar la ejecución de plantillas de código personalizadas como workaround.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":5.8},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:go:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.3.2\",\"matchCriteriaId\":\"82094046-7D35-4A48-8D10-AA7C249AE8B2\"}]}]}],\"references\":[{\"url\":\"https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43405\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-04T16:21:03.366044Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:projectdiscovery:nuclei:*:*:*:*:*:*:*:*\"], \"vendor\": \"projectdiscovery\", \"product\": \"nuclei\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.3.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-04T16:21:48.362Z\"}}], \"cna\": {\"title\": \"Nuclei Template Signature Verification Bypass\", \"source\": {\"advisory\": \"GHSA-7h5p-mmpp-hgmm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.4, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"projectdiscovery\", \"product\": \"nuclei\", \"versions\": [{\"status\": \"affected\", \"version\": \">= 3.0.0, < 3.3.2\"}]}], \"references\": [{\"url\": \"https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm\", \"name\": \"https://github.com/projectdiscovery/nuclei/security/advisories/GHSA-7h5p-mmpp-hgmm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a\", \"name\": \"https://github.com/projectdiscovery/nuclei/commit/0da993afe6d41b4b1b814e8fad23a2acba13c60a\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nuclei is a vulnerability scanner powered by YAML based templates. Starting in version 3.0.0 and prior to version 3.3.2, a vulnerability in Nuclei's template signature verification system could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template. The vulnerability is present in the template signature verification process, specifically in the `signer` package. The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed. This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template. CLI users are affected if they execute custom code templates from unverified sources. This includes templates authored by third parties or obtained from unverified repositories. SDK Users are affected if they are developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users. The vulnerability is addressed in Nuclei v3.3.2. Users are strongly recommended to update to this version to mitigate the security risk. As an interim measure, users should refrain from using custom templates if unable to upgrade immediately. Only trusted, verified templates should be executed. Those who are unable to upgrade Nuclei should disable running custom code templates as a workaround.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-09-04T15:36:23.277Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-43405\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-04T16:21:54.357Z\", \"dateReserved\": \"2024-08-12T18:02:04.966Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-09-04T15:36:23.277Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.