Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-28752/CVE-2024-28752.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
## autogenerated on 2026-07-01 13:06:32
id: CVE-2024-28752
info:
name: CVE-2024-28752
author: crowdsec
severity: info
description: CVE-2024-28752 testing
tags: appsec-testing
http:
- raw:
- |
POST /test HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/related; boundary=----nucleibound

------nucleibound
Content-Disposition: form-data; name="1"

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://service.namespace/">
<soapenv:Header/>
<soapenv:Body>
<web:test>
<arg0>
<count><xop:Include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file:///etc/passwd"></xop:Include></count>
</arg0>
</web:test>
</soapenv:Body>
</soapenv:Envelope>
------nucleibound--
cookie-reuse: true
matchers:
- type: status
status:
- 403
5 changes: 5 additions & 0 deletions .appsec-tests/vpatch-CVE-2024-28752/config.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## autogenerated on 2026-07-01 13:06:32
appsec-rules:
- ./appsec-rules/crowdsecurity/base-config.yaml
- ./appsec-rules/crowdsecurity/vpatch-CVE-2024-28752.yaml
nuclei_template: CVE-2024-28752.yaml
31 changes: 31 additions & 0 deletions appsec-rules/crowdsecurity/vpatch-CVE-2024-28752.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
## autogenerated on 2026-07-01 13:06:32
name: crowdsecurity/vpatch-CVE-2024-28752
description: 'Detects SSRF and local file read attempts in Apache CXF via XOP Include in multipart SOAP requests.'
rules:
- and:
- zones:
- URI
transform:
- lowercase
match:
type: contains
value: /test
- zones:
- RAW_BODY
transform:
- lowercase
match:
type: contains
value: '<xop:include xmlns:xop="http://www.w3.org/2004/08/xop/include" href="file://'

labels:
type: exploit
service: http
confidence: 3
spoofable: 0
behavior: 'http:exploit'
label: 'Apache CXF - SSRF/LFI'
classification:
- cve.CVE-2024-28752
- attack.T1190
- cwe.CWE-918
1 change: 1 addition & 0 deletions collections/crowdsecurity/appsec-virtual-patching.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ appsec-rules:
- crowdsecurity/vpatch-CVE-2020-8656
- crowdsecurity/vpatch-CVE-2025-27222
- crowdsecurity/vpatch-CVE-2025-64446
- crowdsecurity/vpatch-CVE-2024-28752
- crowdsecurity/vpatch-CVE-2020-10987
- crowdsecurity/vpatch-CVE-2025-55182
- crowdsecurity/vpatch-CVE-2024-6235
Expand Down
Loading