From 741969c4cc4172d8a69ee3ebe89124792b4fc12b Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Jul 2026 15:06:35 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2024-28752 rule --- .../crowdsecurity/vpatch-CVE-2024-28752.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2024-28752.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2024-28752.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2024-28752.yaml new file mode 100644 index 00000000000..ab4b3e44dec --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2024-28752.yaml @@ -0,0 +1,31 @@ +## autogenerated on 2026-07-01 13:06:32 +name: crowdsecurity/vpatch-CVE-2024-28752 +description: 'Detects SSRF and local file read attempts in Apache CXF via XOP Include in multipart SOAP requests.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /test + - zones: + - RAW_BODY + transform: + - lowercase + match: + type: contains + value: ' + + + + + + + + + + ------nucleibound-- + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 8247501b4398dc42430f68a21c98b34ba128cd5f Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 1 Jul 2026 15:06:40 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2024-28752 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 79a2e5ca01c..a2216a6a73f 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -158,6 +158,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2020-8656 - crowdsecurity/vpatch-CVE-2025-27222 - crowdsecurity/vpatch-CVE-2025-64446 +- crowdsecurity/vpatch-CVE-2024-28752 - crowdsecurity/vpatch-CVE-2020-10987 - crowdsecurity/vpatch-CVE-2025-55182 - crowdsecurity/vpatch-CVE-2024-6235