Conversation
|
Hello @buixor, ✅ The new VPATCH Rule is compliant, thank you for your contribution! |
|
Hello @buixor and thank you for your contribution! I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. The following items have errors: crowdsecurity/crs-exclusion-plugin-cpanel:
crowdsecurity/crs-exclusion-plugin-dokuwiki:
crowdsecurity/crs-exclusion-plugin-drupal:
crowdsecurity/crs-exclusion-plugin-nextcloud:
crowdsecurity/crs-exclusion-plugin-phpbb:
crowdsecurity/crs-exclusion-plugin-phpmyadmin:
crowdsecurity/crs-exclusion-plugin-wordpress:
crowdsecurity/crs-exclusion-plugin-xenforo:
Mitre ATT&CKInformation about mitre attack can be found here.
Expected format is (where labels:
classification:
- attack.TXXXXCVEsIf your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it. Expected format is (where labels:
classification:
- cve.CVE-XXX-XXXBehaviorsPlease identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here. Expected format is (where labels:
behavior: <behavior>See the labels documentation for more information. |
1 participant
Add vpatch rule for CVE-2023-29357 — Microsoft SharePoint Authentication Bypass
Adds a virtual-patch AppSec rule and associated test assets for CVE-2023-29357, a critical (CVSS 9.8) authentication bypass in Microsoft SharePoint Server exploited by forging JWT tokens using the none signing algorithm to impersonate administrator sessions via the SharePoint REST API. This CVE is KEV-listed, actively used in ransomware campaigns, and chains with CVE-2023-24955 to achieve unauthenticated RCE. Over 150,000 SharePoint instances are exposed on the internet.
Detection logic: matches GET requests to /_api/ endpoints where the Authorization header contains the hashedprooftoken claim — a field injected by the exploit's forged JWT that does not appear in any legitimate SharePoint token.