Harsh Jaiswal

GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)

Introduction In light of the recent Ruby-SAML bypass discovered in GitLab, we set out to examine the SAML implementation within GitHub Enterprise. During our research, we identified a significant vulnerability that enabled bypassing GitHub’s SAML authentication when encrypted assertions were in use. This blog post will provide an in-depth look at GitHub Enterprise’s SAML implementation and analyze the specific code issue that permitted this bypass. Although we uncovered this vulnerability inde

Vulnerability Research Nuclei & Templates

Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)

Introduction In this blog post, we will analyze CVE-2024-45409, a critical vulnerability impacting Ruby-SAML, OmniAuth-SAML libraries, which effectively affects GitLab. This vulnerability allows an attacker to bypass SAML authentication mechanisms and gain unauthorized access by exploiting a flaw in how SAML responses are handled. The issue arises due to weaknesses in the verification of the digital signature used to protect SAML assertions, allowing attackers to manipulate the SAML response a

Vulnerability Research

Hacking Apple - SQL Injection to Remote Code Execution

Introduction In our last blog post, we delved into the inner workings of Lucee and took a look at the source code of Masa/Mura CMS, and the vastness of the potential attack surface struck us. It became evident that investing time in understanding the code could pay off. After dedicating a week to our exploration, we stumbled upon several entry points for exploitation, including a critical SQL injection flaw that we were able to exploit within Apple's Book Travel portal. In this blog post, we a

Vulnerability Research Nuclei & Templates

Hello Lucee! Let us hack Apple again?

Last year we conducted an in-depth analysis of multiple vulnerabilities within Adobe ColdFusion, we derived valuable insights, one of which revolved around CFM and CFC handling, parsing and execution. We wondered if there are any other CFML Servers. Does this ring a bell? Allow us to introduce Lucee. We've previously compromised Lucee's Admin panel, showcasing a pre-auth Remote Code Execution (RCE) on multiple Apple servers that utilized Lucee as its underlying server. Our journey led us throug

Vulnerability Research Nuclei & Templates

Atlassian Confluence - Remote Code Execution (CVE-2023-22527)

CVE-2023-22527 is a critical vulnerability within Atlassian's Confluence Server and Data Center. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands. Technical Details Initial Analysis The CVE description provided by Atlassian made it clear that this vulnerability was automatically rendered unexploitable in version 8.5.4 due to certain incorpora

Vulnerability Research Nuclei & Templates

CrushFTP - CVE-2023-43177 Unauthenticated Remote Code Execution

CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands. Technical Details Based on the information shared in the original blog post at https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/, we embarked on an effort to gain a deeper

Vulnerability Research Nuclei & Templates

Atlassian Confluence Server (CVE-2023-22518) - Improper Authorization

CVE-2023-22518 is a critical vulnerability in Atlassian Confluence Data Center and Server. The vulnerability could potentially allow unauthenticated attackers with network access to the Confluence Instance to restore the database of the Confluence instance and eventually execute arbitrary system commands. Technical Details After performing a patch diff between the patched and unpatched versions, we identified the addition of two new annotations, namely, @WebSudoRequired and @SystemAdminOnly,

Vulnerability Research Nuclei & Templates

F5 BIG-IP Unauth RCE via AJP Smuggling (CVE-2023-46747) - Technical Analysis

Description: CVE-2023-46747 is a critical vulnerability in the F5 BIG-IP Configuration Utility identified as a request smuggling bug within the Apache JServ Protocol (AJP). The flaw could potentially allow unauthenticated attackers with network access to the BIG-IP system through the management port and/or self-IP addresses to execute arbitrary system commands. This vulnerability was discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security. It has a CVSS score of 9

Vulnerability Research Nuclei & Templates

Adobe ColdFusion Pre-Auth RCE(s)

For the latest updates on CVE-2023-29300 / CVE-2023-38203 / CVE-2023-38204, see the updates section Introduction The Adobe ColdFusion, widely recognized for its robust web development capabilities, recently released a critical security update. The update specifically targeted three security issues, among them, CVE-2023-29300, a highly concerning pre-authentication Remote Code Execution (RCE) vulnerability. This vulnerability poses a significant threat, allowing malicious actors to execute arb

Vulnerability Research Nuclei & Templates

CVE-2023-36934 Analysis: MOVEit Transfer SQL Injection

Introduction At ProjectDiscovery, our focus is on enhancing our open-source solution, Nuclei, by incorporating templates for trending CVEs. Our collaborative efforts involve constant additions of templates by the open-source community, internal template and research team to stay updated on emerging exploits. One such notable case involves MOVEit Transfer, a widely utilized web application, which recently came under scrutiny due to a series of SQL injection (SQLi) vulnerabilities. These vulnera

Vulnerability Management Nuclei & Templates

PHP Development Server <= 7.4.21 - Remote Source Disclosure

Introduction While testing request pipelining on multiple programming language built-in servers, we observed strange behavior with PHP’s. As we delved deeper, we discovered a security bug in PHP that could expose the source code of PHP files as if they were static files rather than executing them as intended. Upon further testing, we found that the vulnerability was not present in the latest PHP release. We conducted further tests on different versions of PHP to determine when the bug was fixe

Vulnerability Research Nuclei & Templates

Harsh Jaiswal

GitHub Enterprise SAML Authentication Bypass (CVE-2024-4985 / CVE-2024-9487)

Ruby-SAML / GitLab Authentication Bypass (CVE-2024-45409)

Hacking Apple - SQL Injection to Remote Code Execution

Hello Lucee! Let us hack Apple again?

Atlassian Confluence - Remote Code Execution (CVE-2023-22527)

CrushFTP - CVE-2023-43177 Unauthenticated Remote Code Execution

Atlassian Confluence Server (CVE-2023-22518) - Improper Authorization

F5 BIG-IP Unauth RCE via AJP Smuggling (CVE-2023-46747) - Technical Analysis

Adobe ColdFusion Pre-Auth RCE(s)

CVE-2023-36934 Analysis: MOVEit Transfer SQL Injection

PHP Development Server <= 7.4.21 - Remote Source Disclosure

Monitor your infrastructure

Talk to sales

Platform

Open Source

Resources

Company