hub icon indicating copy to clipboard operation
hub copied to clipboard
verified publisher icon crowdsecurity

Add vpatch-CVE-2022-24086 rule and test

Open crowdsec-automation opened this issue 2 months ago • 2 comments

This rule targets the RCE vulnerability in Adobe Commerce (Magento) during the checkout process, specifically in the /rest/default/V1/guest-carts/{id}/shipping-information endpoint. The attack leverages the injection of a malicious string containing addAfterFilterCallback(system) in the JSON body, which triggers code execution.

  • The first two rule conditions ensure the request is targeting the correct endpoint by matching both /rest/default/v1/guest-carts/ and /shipping-information in the URI, making the rule specific to the vulnerable API.
  • The third condition inspects the entire raw body (RAW_BODY) for the presence of the string addafterfiltercallback(system) (lowercased for normalization), which is the key exploit vector in this attack.
  • The use of RAW_BODY is necessary because the malicious payload can be injected in multiple JSON fields (firstname, lastname, etc.), so targeting a specific argument would risk missing the attack.
  • All value: fields are lowercase, and the lowercase transform is applied to ensure case-insensitive matching.
  • The rule avoids false positives by requiring all three conditions to be met, focusing on the unique exploit pattern and endpoint.

The test nuclei template sends a POST request to the vulnerable endpoint with the exploit payload in the JSON body and expects a 403 response, which would indicate the WAF is blocking the attack.

crowdsec-automation avatar Oct 29 '25 15:10 crowdsec-automation

Hello @crowdsec-automation and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2022-24086 :red_circle:

github-actions[bot] avatar Oct 29 '25 15:10 github-actions[bot]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

github-actions[bot] avatar Oct 29 '25 15:10 github-actions[bot]

Hello @buixor and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

github-actions[bot] avatar Nov 05 '25 14:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

github-actions[bot] avatar Nov 05 '25 14:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

github-actions[bot] avatar Nov 05 '25 15:11 github-actions[bot]

Hello @buixor,

:white_check_mark: The new VPATCH Rule is compliant, thank you for your contribution!

github-actions[bot] avatar Nov 05 '25 15:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

github-actions[bot] avatar Nov 05 '25 15:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

github-actions[bot] avatar Nov 05 '25 15:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

github-actions[bot] avatar Nov 05 '25 16:11 github-actions[bot]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

github-actions[bot] avatar Nov 05 '25 16:11 github-actions[bot]