Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the host_header_name attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_protocol_version attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_ssl_protocol_version attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_ssl_ciphers attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or

Solution:

Security researchers at FireEye have discovered a new vulnerability in Rocket Cloud that could allow attackers to inject arbitrary HTML and JavaScript into the application's server-side code.
Rocket Cloud is an open source, high performance web server application with multiple modules that includes functionality for configuring SSL/TLS encryption certificates, publishing content via HTTP(S), file serving, and more.
This vulnerability is similar to CVE-2017-12377 (Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request) and can be exploited by sending a malicious request to the affected product endpoint.

Limitations and Recommendations

The server_root_path appears to be the root path for the web application, including any paths on the server.
The server_root_path appears to be the root path for the web application, including any paths on the server.
The client_ip_address is a combination of an IP and a port number. There are no limitations provided in this field.

References:

Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_root_path attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the client_ip_address attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the host_header_name attribute of a crafted request.
Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_port_number attribute of a crafted request. Rocket Cloud before 1.2.0 allows remote attackers to inject arbitrary web script or HTML via the server_protocol_version attribute of a crafted request, and Rocket Cloud before 1:1:1 is vulnerable to this vulnerability as well because it uses an SSL-enabled HTTP protocol without hostname verification that can be modified by an attacker during transit from an internal network that includes servers running vulnerable versions prior to version 2:1:1

Timeline

Published on: 12/01/2022 06:15:00 UTC
Last modified on: 12/05/2022 18:07:00 UTC

References