Skip to content

[FALSE-NEGATIVE] CVE-2021-28164 #12024

Description

@sixteen250

Template IDs or paths

http/cves/2021/CVE-2021-28164.yaml
flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/WEB-INF/web.xml"

    matchers:
      - type: dsl
        internal: true
        dsl:
          - "!contains_all(body, '</web-app>', 'java.sun.com')"
          - "!contains_all(header, 'application/xml')"
          - "status_code != 200"
          - "status_code != 404"
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/%2e/WEB-INF/web.xml"

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, '</web-app>', 'java.sun.com')"
          - "contains_all(header, 'application/xml')"
          - "status_code == 200"
        condition: and

Environment

- OS: 
- Nuclei: 
- Go:

Steps To Reproduce

pull/8597 should be revoked

pull:#8597

commit:9b9f79d

The condition "status_code != 404" in http(1) Should be removed.

Reasoning:
Detection Logic: This template uses a two-step process:

First request: checks if /WEB-INF/web.xml is NOT accessible directly (as expected in secure configurations)
Second request: checks if /%2e/WEB-INF/web.xml IS accessible (which would indicate the vulnerability)
Problem with Current Logic:

The first request's matcher uses an AND condition requiring all conditions to be true
When a server is properly secured, it will typically return a 404 for /WEB-INF/web.xml
The current condition status_code != 404 prevents the flow from continuing to the second request in this case.

Impact on Detection:
Many vulnerable systems would be missed because the first check fails when it encounters a 404
The 404 status code is actually the expected secure behavior for the first request

Relevant dumped responses

Anything else?

No response

Metadata

Metadata

Assignees

Labels

false-negativeNuclei template missing valid results

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions