Add vpatch-CVE-2023-24000 rule and test#1739
Conversation
|
Hello @crowdsec-automation and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2023-24000 🔴 |
|
Hello @crowdsec-automation and thank you for your contribution! I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. The following items have errors: crowdsecurity/crs-exclusion-plugin-cpanel:
crowdsecurity/crs-exclusion-plugin-dokuwiki:
crowdsecurity/crs-exclusion-plugin-drupal:
crowdsecurity/crs-exclusion-plugin-nextcloud:
crowdsecurity/crs-exclusion-plugin-phpbb:
crowdsecurity/crs-exclusion-plugin-phpmyadmin:
crowdsecurity/crs-exclusion-plugin-wordpress:
crowdsecurity/crs-exclusion-plugin-xenforo:
Mitre ATT&CKInformation about mitre attack can be found here.
Expected format is (where labels:
classification:
- attack.TXXXXCVEsIf your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it. Expected format is (where labels:
classification:
- cve.CVE-XXX-XXXBehaviorsPlease identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here. Expected format is (where labels:
behavior: <behavior>See the labels documentation for more information. |
Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/c3bff159-da7c-41b1-9a0f-2d2ba68d3d2e Co-authored-by: buixor <990714+buixor@users.noreply.github.com>
|
@copilot move the rule to the wordpress vpatch collection |
Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/4876d047-7769-4521-9ff3-6819bfb0e17a Co-authored-by: buixor <990714+buixor@users.noreply.github.com>
Added |
|
Hello @buixor and thank you for your contribution! ❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection: 🔴 crowdsecurity/vpatch-CVE-2023-6623 🔴 |
|
Hello @buixor and thank you for your contribution! I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. The following items have errors: crowdsecurity/crs-exclusion-plugin-cpanel:
crowdsecurity/crs-exclusion-plugin-dokuwiki:
crowdsecurity/crs-exclusion-plugin-drupal:
crowdsecurity/crs-exclusion-plugin-nextcloud:
crowdsecurity/crs-exclusion-plugin-phpbb:
crowdsecurity/crs-exclusion-plugin-phpmyadmin:
crowdsecurity/crs-exclusion-plugin-wordpress:
crowdsecurity/crs-exclusion-plugin-xenforo:
Mitre ATT&CKInformation about mitre attack can be found here.
Expected format is (where labels:
classification:
- attack.TXXXXCVEsIf your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it. Expected format is (where labels:
classification:
- cve.CVE-XXX-XXXBehaviorsPlease identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here. Expected format is (where labels:
behavior: <behavior>See the labels documentation for more information. |
|
Hello @buixor and thank you for your contribution! I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information. The following items have errors: crowdsecurity/crs-exclusion-plugin-cpanel:
crowdsecurity/crs-exclusion-plugin-dokuwiki:
crowdsecurity/crs-exclusion-plugin-drupal:
crowdsecurity/crs-exclusion-plugin-nextcloud:
crowdsecurity/crs-exclusion-plugin-phpbb:
crowdsecurity/crs-exclusion-plugin-phpmyadmin:
crowdsecurity/crs-exclusion-plugin-wordpress:
crowdsecurity/crs-exclusion-plugin-xenforo:
Mitre ATT&CKInformation about mitre attack can be found here.
Expected format is (where labels:
classification:
- attack.TXXXXCVEsIf your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it. Expected format is (where labels:
classification:
- cve.CVE-XXX-XXXBehaviorsPlease identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here. Expected format is (where labels:
behavior: <behavior>See the labels documentation for more information. |
* Add vpatch-CVE-2023-24000 rule * Add vpatch-CVE-2023-24000 test config * Add CVE-2023-24000.yaml test * Add vpatch-CVE-2023-24000 rule to vpatch collection * Change trigger_type[] match to negative regex [^a-z0-9_-] Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/c3bff159-da7c-41b1-9a0f-2d2ba68d3d2e Co-authored-by: buixor <990714+buixor@users.noreply.github.com> * Add vpatch-CVE-2023-24000 to appsec-wordpress collection Agent-Logs-Url: https://github.com/crowdsecurity/hub/sessions/4876d047-7769-4521-9ff3-6819bfb0e17a Co-authored-by: buixor <990714+buixor@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: buixor <990714+buixor@users.noreply.github.com> Co-authored-by: Thibault "bui" Koechlin <thibault@crowdsec.net>
Description
This PR adds a new vpatch rule for CVE-2023-24000 (WordPress GamiPress SQL injection via
trigger_type[]parameter) along with its corresponding test configuration. The rule is included in thecrowdsecurity/appsec-wordpresscollection.The rule:
/wp-json/wp/v2/gamipress-logs(withlowercaseandurldecodetransforms for normalization).trigger_type[]argument using a negative regex[^a-z0-9_-], which matches any value containing characters outside of lowercase alphanumeric, underscore, and hyphen — catching SQL injection payloads while allowing normal trigger type values.crowdsecurity/appsec-wordpresscollection.Checklist