automatic module_metadata_base.json update

2026-04-14 14:41:11 +00:00
parent 5b6c2be9d1
commit dbcb702e1d
1 changed files with 25 additions and 78 deletions
@@ -85934,87 +85934,33 @@
    "session_types": false,
    "needs_cleanup": null
  },
-  "exploit_linux/http/selenium_greed_chrome_rce_cve_2022_28108": {
-    "name": "Selenium chrome RCE",
-    "fullname": "exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108",
-    "aliases": [],
+  "exploit_linux/http/selenium_greed_rce": {
+    "name": "Selenium Grid/Selenoid Unauthenticated RCE",
+    "fullname": "exploit/linux/http/selenium_greed_rce",
+    "aliases": [
+      "exploit/linux/http/selenium_greed_chrome_rce_cve_2022_28108",
+      "exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108"
+    ],
    "rank": 600,
-    "disclosure_date": "2022-04-18",
-    "type": "exploit",
-    "author": [
-      "randomstuff (Gabriel Corona)",
-      "Wiz Research",
-      "Takahiro Yokoyama"
-    ],
-    "description": "Selenium Server (Grid) before 4.0.0-alpha-7 allows CSRF because it permits non-JSON content types\n          such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.",
-    "references": [
-      "CVE-2022-28108",
-      "URL-https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps",
-      "URL-https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/"
-    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
-    "rport": 4444,
-    "autofilter_ports": [
-      80,
-      8080,
-      443,
-      8000,
-      8888,
-      8880,
-      8008,
-      3000,
-      8443
-    ],
-    "autofilter_services": [
-      "http",
-      "https"
-    ],
-    "targets": [
-      "Linux Command"
-    ],
-    "mod_time": "2025-12-17 16:12:31 +0000",
-    "path": "/modules/exploits/linux/http/selenium_greed_chrome_rce_cve_2022_28108.rb",
-    "is_install_path": true,
-    "ref_name": "linux/http/selenium_greed_chrome_rce_cve_2022_28108",
-    "check": true,
-    "post_auth": false,
-    "default_credential": false,
-    "notes": {
-      "Stability": [
-        "crash-safe"
-      ],
-      "SideEffects": [
-        "artifacts-on-disk",
-        "ioc-in-logs"
-      ],
-      "Reliability": [
-        "repeatable-session"
-      ]
-    },
-    "session_types": false,
-    "needs_cleanup": null
-  },
-  "exploit_linux/http/selenium_greed_firefox_rce_cve_2022_28108": {
-    "name": "Selenium geckodriver RCE",
-    "fullname": "exploit/linux/http/selenium_greed_firefox_rce_cve_2022_28108",
-    "aliases": [],
-    "rank": 600,
-    "disclosure_date": "2022-04-18",
+    "disclosure_date": "2021-05-28",
    "type": "exploit",
    "author": [
      "Jon Stratton",
-      "Takahiro Yokoyama"
+      "Wiz Research",
+      "Takahiro Yokoyama",
+      "Valentin Lobstein <chocapikk@leakix.net>"
    ],
-    "description": "Selenium Server (Grid) <= 4.27.0 (latest version at the time of this writing)\n          allows CSRF because it permits non-JSON content types\n          such as application/x-www-form-urlencoded, multipart/form-data, and text/plain.",
+    "description": "Selenium Grid and Selenoid expose a WebDriver API that allows creating\n          browser sessions with arbitrary capabilities. When deployed without\n          authentication (the default for both), an attacker can achieve remote\n          code execution through two browser-specific techniques:\n\n          For Chrome, the goog:chromeOptions binary field can be set to an\n          arbitrary executable such as /usr/bin/python3, since ChromeDriver does\n          not validate it. This was fixed in Selenium Grid 4.11.0 via the\n          stereotype capabilities merge. All Selenoid versions remain vulnerable.\n\n          For Firefox, a custom profile containing a malicious MIME handler that\n          maps application/sh to /bin/sh can be injected via moz:firefoxOptions.\n          Navigating to a data: URI with that content type triggers shell\n          execution. This technique has never been patched and works on all\n          Selenium Grid versions including the latest release.\n\n          The module auto-detects available browsers and selects the best attack\n          vector. Firefox is preferred as it works on all Grid versions.\n\n          The default Docker images run as seluser/selenium with passwordless\n          sudo, allowing trivial privilege escalation to root.",
    "references": [
-      "CVE-2022-28108",
-      "URL-https://www.gabriel.urdhr.fr/2022/02/07/selenium-standalone-server-csrf-dns-rebinding-rce/",
+      "URL-https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps",
+      "URL-https://www.selenium.dev/blog/2024/protecting-unsecured-selenium-grid/",
+      "URL-https://github.com/SeleniumHQ/selenium/issues/9526",
      "URL-https://github.com/JonStratton/selenium-node-takeover-kit/tree/master",
-      "EDB-49915"
+      "EDB-49915",
+      "CWE-306"
    ],
-    "platform": "Linux,Unix",
-    "arch": "cmd",
+    "platform": "Linux,Python,Unix",
+    "arch": "python, cmd",
    "rport": 4444,
    "autofilter_ports": [
      80,
@@ -86032,12 +85978,13 @@
      "https"
    ],
    "targets": [
-      "Linux Command"
+      "Python In-Memory",
+      "Unix/Linux Command Shell"
    ],
-    "mod_time": "2025-12-17 16:12:31 +0000",
-    "path": "/modules/exploits/linux/http/selenium_greed_firefox_rce_cve_2022_28108.rb",
+    "mod_time": "2026-04-14 10:17:04 +0000",
+    "path": "/modules/exploits/linux/http/selenium_greed_rce.rb",
    "is_install_path": true,
-    "ref_name": "linux/http/selenium_greed_firefox_rce_cve_2022_28108",
+    "ref_name": "linux/http/selenium_greed_rce",
    "check": true,
    "post_auth": false,
    "default_credential": false,
@@ -86054,7 +86001,7 @@
      ]
    },
    "session_types": false,
-    "needs_cleanup": null
+    "needs_cleanup": true
  },
  "exploit_linux/http/skyvern_ssti_cve_2025_49619": {
    "name": "Skyvern SSTI Remote Code Execution",