CVE-2022-36431 An arbitrary file upload vulnerability in Rocket TRUfusion Enterprise before 7.9.6.1 allows unauthenticated attackers to execute arbitrary code.

Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the host_header_name attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_protocol_version attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_ssl_protocol_version attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_ssl_ciphers attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or

Solution:

Security researchers at FireEye have discovered a new vulnerability in Rocket Cloud that could allow attackers to inject arbitrary HTML and JavaScript into the application's server-side code.
Rocket Cloud is an open source, high performance web server application with multiple modules that includes functionality for configuring SSL/TLS encryption certificates, publishing content via HTTP(S), file serving, and more.
This vulnerability is similar to CVE-2017-12377 (Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request) and can be exploited by sending a malicious request to the affected product endpoint.

Limitations and Recommendations

The server_root_path appears to be the root path for the web application, including any paths on the server.
The server_root_path appears to be the root path for the web application, including any paths on the server.
The client_ip_address is a combination of an IP and a port number. There are no limitations provided in this field.

References:

Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the host_header_name attribute of a crafted request.
Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_protocol_version attribute of a crafted request, and Rocket Cloud before 1:1:1 is vulnerable to this vulnerability as well because it uses an SSL-enabled HTTP protocol without hostname verification that can be modified by an attacker during transit from an internal network that includes servers running vulnerable versions prior to version 2:1:1

Timeline

Published on: 12/01/2022 06:15:00 UTC
Last modified on: 12/05/2022 18:07:00 UTC