[GHSA-7h5p-mmpp-hgmm] Nuclei Template Signature Verification Bypass

[GuyGoldenberg]

Updates

• CVSS v4
• Severity

Comments
Use the same CVSS as in the advisory for consistency

[github]

Hi there @ehsandeep! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[JonathanLEvans]

Hi @GuyGoldenberg, the advisory currently has both the CVSS v3.1 score (provided by the maintainer) and the CVSS v4 score (provided by GitHub). Is there a problem with the CVSS v4 scoring?

[GuyGoldenberg]

Hi @GuyGoldenberg, the advisory currently has both the CVSS v3.1 score (provided by the maintainer) and the CVSS v4 score (provided by GitHub). Is there a problem with the CVSS v4 scoring?

Yes, I think there's an issue in general. The attack complexity is Low and not High.
The attack vector is local and not network. Also, if I understand correctly, the Vulnerable system is completely vulnerable.

Can you possibly review the security advisory and let me know what you think?

GHSA-7h5p-mmpp-hgmm

[JonathanLEvans]

Yes, I think there's an issue in general. The attack complexity is Low and not High.

Could you provide more details? The disclosure does not provide enough details to determine whether the attack complexity is Low or High but the CVSS on the repo advisory says it is High.

The attack vector is local and not network.

From the repo advisory:

SDK Users: Developers integrating Nuclei into their platforms, particularly if they permit the execution of custom code templates by end-users.

This suggests that SDK Users could allow remote users to execute custom templates depending on the implementation.

Also, if I understand correctly, the Vulnerable system is completely vulnerable.

I believe what you mean by this is VC, VI, and VA should be set to High rather than SC, SI, SA. Is that correct?

[GuyGoldenberg]

1. We can go into details about the attack complexity, generally, once a user has the ability to edit a Nuclei template, the attack is extremely simple. The vulnerability is complex but exploiting it is very easy.
2. Correct, some implementations allow adding/editing templates on SaaS service Nuclei as a service and some users run it locally on their own machines. In both cases, the attack requires running the malicious template locally, this can't be triggered remotly.
3. Exactly. Since it's both an SDK and a CLI, we maybe need to both of these to high?

[JonathanLEvans]

1. Without additional details, there is no way to assess the claim so I lean toward keeping the current value.
2. I want to make sure I understand the SaaS scenario. The attacker uploads or edits the template to the remote system. To execute the template, does the attacker/user then need to have CLI access? Or can they use some web interface? I am trying to understand how this is different from a file upload attack, e.g. CVE-2024-7450 .
3. No, since the only the machine executing the template is affected, only VC, VI, and VA apply. If the template caused the scanner to attack other machines, then SC, SI, and SA would apply. Take the stored XSS attack scenario for example, the attacker stores the malicious code on the server, which causes the server to attack anyone who visits the web page.

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.