""ET EXPLOIT VMWare Server-side Template Injection RCE (CVE-2022-22954)""

SID: 2035876

Revision: 2

Class Type: attempted-admin

Metadata: affected_product VMware, attack_target Server, created_at 2022_04_08, cve CVE_2022_22954, deployment Perimeter, deployment Internal, deployment SSLDecrypt, signature_severity Major, updated_at 2022_04_08

Reference:

  • cve

  • 2022-22954

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: [$HOME_NET,$HTTP_SERVERS]

Destination Port: any

Flow: established,to_server

Contents:

  • Value: "/catalog-portal/"

  • Value: "%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22"

  • Value: "%6e%65%77%28%29"

Within: 200

PCRE:

Special Options:

  • http_uri

  • http_client_body

  • fast_pattern

  • nocase

  • http_client_body

  • nocase

source