Add vpatch-CVE-2021-26072 rule and test

[crowdsec-automation]

This rule detects exploitation attempts for CVE-2021-26072, an SSRF vulnerability in Atlassian Confluence's WidgetConnector plugin. The attack is performed by sending a GET request to the /rest/sharelinks/1.0/link endpoint with a url parameter pointing to an attacker-controlled domain (e.g., interactsh).

• The first rule block matches requests to the vulnerable endpoint, using contains on the URI with lowercase and urldecode transforms to ensure normalization and case insensitivity.
• The second rule block targets the url argument in the query string, checking if it contains the substring http (to catch both http and https schemes), again with lowercase and urldecode transforms.
• This approach avoids false positives by focusing on the specific endpoint and the presence of a URL scheme in the url parameter, which is required for SSRF exploitation.
• The labels section includes the correct CVE, ATT&CK, and CWE references, and the product/vuln class label is formatted as required.

Validation checklist:

• All value: fields are lowercase.
• All relevant transforms include lowercase.
• No match.value contains capital letters.
• contains is used instead of regex where applicable.

[github-actions[bot]]

Hello @crowdsec-automation and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2021-26072 :red_circle:

[github-actions[bot]]

Hello @crowdsec-automation and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

[github-actions[bot]]

Hello @buixor and thank you for your contribution!

:heavy_exclamation_mark: It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

:red_circle: crowdsecurity/vpatch-CVE-2023-0600 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-2009 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-0900 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6623 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23489 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-4634 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-23488 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1071 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6567 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2023-6360 :red_circle: :red_circle: crowdsecurity/vpatch-CVE-2024-1061 :red_circle:

[github-actions[bot]]

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

• labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

• labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

• labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

• labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

• labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

• labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

• labels not found

Mitre ATT&CK

Information about mitre attack can be found here. As an example, some common mitre attack techniques:

• T1110 for bruteforce attacks
• T1595 and T1190 for exploitation of public vulnerabilities
• T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.