Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the host_header_name attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_protocol_version attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_ssl_protocol_version attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_ssl_ciphers attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or
Solution:
Security researchers at FireEye have discovered a new vulnerability in Rocket Cloud that could allow attackers to inject arbitrary HTML and JavaScript into the application's server-side code.
Rocket Cloud is an open source, high performance web server application with multiple modules that includes functionality for configuring SSL/TLS encryption certificates, publishing content via HTTP(S), file serving, and more.
This vulnerability is similar to CVE-2017-12377 (Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request) and can be exploited by sending a malicious request to the affected product endpoint.
Limitations and Recommendations
The server_root_path appears to be the root path for the web application, including any paths on the server.
The server_root_path appears to be the root path for the web application, including any paths on the server.
The client_ip_address is a combination of an IP and a port number. There are no limitations provided in this field.
References:
Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the host_header_name attribute of a crafted request.
Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_protocol_version attribute of a crafted request, and Rocket Cloud before 1:1:1 is vulnerable to this vulnerability as well because it uses an SSL-enabled HTTP protocol without hostname verification that can be modified by an attacker during transit from an internal network that includes servers running vulnerable versions prior to version 2:1:1
Timeline
Published on: 12/01/2022 06:15:00 UTC
Last modified on: 12/05/2022 18:07:00 UTC
References
- https://www.synacktiv.com/sites/default/files/2022-11/trufusion_enterprise_unauthenticated_arbitrary_file_write.pdf
- https://docs.rocketsoftware.com/bundle/TRUfusionEnterprise_ReleaseNotes_V7.9.6.1/resource/TRUfusionEnterprise_ReleaseNotes_V7.9.6.1.pdf
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36431