Skip to content

Add vpatch-CVE-2024-28752 rule and test#53

Closed
crowdsec-automation wants to merge 4 commits into
masterfrom
1782911193-vpatch-CVE-2024-28752
Closed

Add vpatch-CVE-2024-28752 rule and test#53
crowdsec-automation wants to merge 4 commits into
masterfrom
1782911193-vpatch-CVE-2024-28752

Conversation

@crowdsec-automation

Copy link
Copy Markdown

This rule detects exploitation attempts for CVE-2024-28752, an SSRF and local file read vulnerability in Apache CXF's Aegis DataBinding via the XOP Include mechanism in multipart SOAP requests.

  • The first rule block matches requests to the /test endpoint, which is the target path in the provided nuclei template.
  • The second rule block inspects the raw HTTP body for the presence of the XOP Include element with an href attribute pointing to a local file (file://). The match is made case-insensitive by applying the lowercase transform.
  • The use of RAW_BODY is appropriate because the payload is a multipart SOAP envelope, not a standard form or JSON argument.
  • The detection is focused on the XOP Include pattern with a local file reference, which is the core of the exploit.
  • The labels section includes the correct CVE, ATT&CK, and CWE references, and the label follows the required format.

Validation checklist:

  • All value: fields are lowercase.
  • transform includes lowercase where applicable.
  • No match.value contains capital letters.
  • The rule uses contains instead of regex for the body pattern, as only a substring match is needed.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Hello @crowdsec-automation and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2024-28752 🔴

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown

Hello @crowdsec-automation,

Scenarios/AppSec Rule are compliant with the taxonomy, thank you for your contribution!

@he2ss

he2ss commented Jul 1, 2026

Copy link
Copy Markdown
Member

too generic/complicated

@he2ss he2ss closed this Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants