CVE-2022-25237
published 2022-06-02CVE-2022-25237: Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
56.22%
98.9th percentile
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bonitasoft | bonita_web | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/bonita/API/pageUpload
path/i18ntranslation/../
cookieJSESSIONID=
cookieX-Bonita-API-Token=
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M2 (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bonita/API/pageUpload"; startswith; content:"action=add"; http.uri.raw; content:"/i18ntranslation/../"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036820; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 2022_06_03;)
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M1 (Possible Staging for CVE-2022-25237)"; flow:established,to_server; flowbits:set,ET.BonitaDefaultCreds; http.method; content:"POST"; http.uri; content:"/bonita/loginservice"; fast_pattern; http.request_body; content:"username=install"; content:"password=install"; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036815; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence Medium, signature_severity Minor, updated_at 2022_06_03;)
- →Detect authorization bypass attempts by looking for ;i18ntranslation or /../i18ntranslation/ appended to Bonita API URLs in HTTP URI fields. ↗
- →Use Wireshark filter `urlencoded-form.key == "username" && !(http contains "install")` to enumerate unique credential stuffing usernames against Bonitasoft loginservice. ↗
- →Detect default credential login attempts against Bonitasoft: POST to /bonita/loginservice with body containing username=install and password=install (ET SID 2036815).
- →Detect RCE upload exploitation stage: POST to /bonita/API/pageUpload with action=add and URI containing /i18ntranslation/../ while cookies include both JSESSIONID and X-Bonita-API-Token (ET SID 2036820).
- →Use Shodan/FOFA queries to identify exposed Bonita instances: Shodan `http.title:"Bonita" || "Server: Bonita"`, FOFA `title="Bonita" || header="Server: Bonita"`.
- →Post-exploitation persistence: monitor writes to /home/ubuntu/.ssh/authorized_keys as the attacker used the privileged API to plant an SSH public key. ↗
- →Map attacker SSH key persistence to MITRE ATT&CK T1098.004 (Account Manipulation: SSH Authorized Keys). ↗
- ·The Nuclei template targets specifically Bonita Web version 2021.2; the bypass payload and detection logic may not apply to patched or newer versions.
- ·The Snort/ET rules (SID 2036820, 2036815) require SSL decryption to be effective against HTTPS-protected Bonita deployments, as noted in the deployment metadata.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x954-v3m6-xm82: Bonita Web 2021
ghsa_unreviewed·2022-06-03
CVE-2022-25237 [CRITICAL] CWE-863 GHSA-x954-v3m6-xm82: Bonita Web 2021
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.
VulnCheck
Bonita Web RestAPIAuthorizationFilter Authentication Bypass Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-25237 [CRITICAL] Bonita Web RestAPIAuthorizationFilter Authentication Bypass Vulnerability
Bonita Web RestAPIAuthorizationFilter Authentication Bypass Vulnerability
Bonita Web 2021.2 is affected by a authentication/authorization bypass vulnerability due to an overly broad exclude pattern used in the RestAPIAuthorizationFilter. By appending ;i18ntranslation or /../i18ntranslation/ to the end of a URL, users with no privileges can access privileged API endpoints. This can lead to remote code execution by abusing the privileged API actions.
Affected: bonitasoft bonita_web
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-05-15&host_type=src&vulnerability=cve-2022-2523
Suricata
ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)
suricata·2023-03-28·CVSS 9.8
CVE-2023-28343 [CRITICAL] ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)
ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Altenergy Power Control Software Command Injection Attempt (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/management/set_timezone"; fast_pattern; endswith; http.request_body; content:"timezone="; pcre:"/^[^&]{0,50}(?:%60|%24|%3B)/PRi"; reference:url,github.com/superzerosec/CVE-2023-28343; reference:cve,2023-28343; classtype:attempted-admin; sid:2044825; rev:1; metadata:affected_product HTTP_Server, attack_target Server, created_at 2023_03_28, cve CVE_2022_25237, deployment Perimeter, confidence High, signature_severity Major, tag Description_Generated_By_Proofpo
Suricata
ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M2 (CVE-2022-25237)
suricata·2022-06-03·CVSS 9.8
CVE-2022-25237 [CRITICAL] ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M2 (CVE-2022-25237)
ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M2 (CVE-2022-25237)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M2 (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bonita/API/pageUpload"; startswith; content:"action=add"; http.uri.raw; content:"/i18ntranslation/../"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036820; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High,
Suricata
ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M1 (Possible Staging for CVE-2022-25237)
suricata·2022-06-03·CVSS 9.8
CVE-2022-25237 [CRITICAL] ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M1 (Possible Staging for CVE-2022-25237)
ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M1 (Possible Staging for CVE-2022-25237)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M1 (Possible Staging for CVE-2022-25237)"; flow:established,to_server; flowbits:set,ET.BonitaDefaultCreds; http.method; content:"POST"; http.uri; content:"/bonita/loginservice"; fast_pattern; http.request_body; content:"username=install"; content:"password=install"; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036815; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, performance
Suricata
ET EXPLOIT Bonitasoft Authorization Bypass M1 (CVE-2022-25237)
suricata·2022-06-03·CVSS 9.8
CVE-2022-25237 [CRITICAL] ET EXPLOIT Bonitasoft Authorization Bypass M1 (CVE-2022-25237)
ET EXPLOIT Bonitasoft Authorization Bypass M1 (CVE-2022-25237)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass M1 (CVE-2022-25237)"; flow:established,to_server; http.uri; content:"|3b|i18ntranslation"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036818; rev:2; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_03_10;)
Suricata
ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M2 (Possible Staging for CVE-2022-25237)
suricata·2022-06-03·CVSS 9.8
CVE-2022-25237 [CRITICAL] ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M2 (Possible Staging for CVE-2022-25237)
ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M2 (Possible Staging for CVE-2022-25237)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET WEB_SPECIFIC_APPS Bonitasoft Default User Login Attempt M2 (Possible Staging for CVE-2022-25237)"; flow:established,to_server; flowbits:set,ET.BonitaDefaultCreds; http.method; content:"POST"; http.uri; content:"/bonita/platformloginservice"; fast_pattern; http.request_body; content:"username=platformAdmin"; content:"password=platform"; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036816; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecry
Suricata
ET EXPLOIT Bonitasoft Authorization Bypass M2 (CVE-2022-25237)
suricata·2022-06-03·CVSS 9.8
CVE-2022-25237 [CRITICAL] ET EXPLOIT Bonitasoft Authorization Bypass M2 (CVE-2022-25237)
ET EXPLOIT Bonitasoft Authorization Bypass M2 (CVE-2022-25237)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass M2 (CVE-2022-25237)"; flow:established,to_server; http.uri.raw; content:"/i18ntranslation/../"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036819; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_06_03;)
Suricata
ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M1 (CVE-2022-25237)
suricata·2022-06-03·CVSS 9.8
CVE-2022-25237 [CRITICAL] ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M1 (CVE-2022-25237)
ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M1 (CVE-2022-25237)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Bonitasoft Authorization Bypass and RCE Upload M1 (CVE-2022-25237)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/bonita/API/pageUpload"; startswith; content:"action=add"; content:"|3b|i18ntranslation"; fast_pattern; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:attempted-admin; sid:2036821; rev:2; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence High, signature_sever
Suricata
ET EXPLOIT Bonitasoft Successful Default User Login Attempt (Possible Staging for CVE-2022-25237)
suricata·2022-06-03·CVSS 9.8
CVE-2022-25237 [CRITICAL] ET EXPLOIT Bonitasoft Successful Default User Login Attempt (Possible Staging for CVE-2022-25237)
ET EXPLOIT Bonitasoft Successful Default User Login Attempt (Possible Staging for CVE-2022-25237)
Rule: alert http [$HTTP_SERVERS,$HOME_NET] any -> any any (msg:"ET EXPLOIT Bonitasoft Successful Default User Login Attempt (Possible Staging for CVE-2022-25237)"; flow:established,to_client; flowbits:isset,ET.BonitaDefaultCreds; http.cookie; content:"JSESSIONID="; content:"X-Bonita-API-Token="; fast_pattern; reference:url,rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasoft-authorization-bypass/; reference:cve,2022-25237; classtype:successful-admin; sid:2036817; rev:1; metadata:attack_target Server, created_at 2022_06_03, cve CVE_2022_25237, deployment Perimeter, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2022_06_03;)
Nuclei
Bonita Web 2021.2 - Authentication/Authorization Bypass
nuclei·CVSS 9.8
CVE-2022-25237 [CRITICAL] Bonita Web 2021.2 - Authentication/Authorization Bypass
Bonita Web 2021.2 - Authentication/Authorization Bypass
Bonita Web 2021.2 contains an authentication/authorization bypass vulnerability caused by an overly broad exclude pattern in RestAPIAuthorizationFilter, allowing unauthenticated users to access privileged API endpoints by appending ;i18ntranslation or /../i18ntranslation/ to the URL.
Template:
id: CVE-2022-25237
info:
name: Bonita Web 2021.2 - Authentication/Authorization Bypass
author: Sourabh-Sahu
severity: critical
description: |
Bonita Web 2021.2 contains an authentication/authorization bypass vulnerability caused by an overly broad exclude pattern in RestAPIAuthorizationFilter, allowing unauthenticated users to access privileged API endpoints by appending ;i18ntranslation or /../i18ntranslation/ to the URL.
impact: |
Successf
CTF
sherlocks / README
ctf_writeups·CVSS 9.8
[CRITICAL] sherlocks / README
---
layout: default
title: Sherlocks
nav_order: 5
description: "70+ HTB Sherlock DFIR investigation writeups"
permalink: /sherlocks/
---
# HackTheBox Sherlocks - Comprehensive Index
> Complete index of all known HackTheBox Sherlock DFIR investigation labs with writeup links, difficulty ratings, categories, and key techniques.
Sherlocks are defensive security labs that simulate real-world security incidents. You investigate evidence, analyze artifacts, and answer forensic questions to solve the case.
---
## Summary
| Difficulty | Path | Count | Focus |
|------------|------|-------|-------|
| [Easy](#easy-sherlocks) | Easy | 25+ | Log Analysis, Basic DFIR, Simple Malware Triage |
| [Medium](#medium-sherlocks) | Medium | 30+ | Memory Forensics, AD Attacks, Cloud IR, Complex Malware |
|
CTF
README
ctf_writeups
README
# Hack The Box Writeups - The Ultimate HTB Resource
> The most comprehensive collection of **Hack The Box writeups**, **walkthroughs**, and **cheatsheets** on GitHub. 500+ machines, 400+ challenges, ProLabs, Sherlocks (DFIR), CTF events, penetration testing methodology, and OSCP/CPTS certification prep - all in one place.
```
___ ___ ___________ __ __ .__ __
/ | \ \__ ___/ / \ / \________|__|/ |_ ____ __ ________ ______
/ ~ \ | | \ \/\/ /\_ __ \| \ __\/ __ \| | \____ \/ ___/
\ Y / | | \ / | | \/| || | \ ___/| | / |_> >___ \
\___|_ / |____| \__/\ / |__| |__||__| \___ >____/| __/____ >
\/ \/ \/ |__| \/
```
[](https://awesome.re)
[](https://github.com/momenbasel/htb-writeups/stargazers)
[](https://github.com/momenbasel/htb-writeups/network/members)
[](https://github.com/momenbasel/htb-writ
CTF
Meerkat / README
ctf_writeups
Meerkat / README
# Meerkat
> Write-up author: jon-brandy
## Lesson learned:
- Identifying **Credential Stuffing** attacks.
- Bonitasoft CVE.
- Packet filtering and custom column value.
## SCENARIO:
As a fast growing startup, Forela have been utilising a business management platform.
Unfortunately our documentation is scarce and our administrators aren't the most security aware.
As our new security provider we'd like you to take a look at some PCAP and log data we have exported to confirm if we have (or have not) been compromised.
## STEPS:
1. In this challenge we're given two files.
> 1ST QUESTION --> ANS : Bonitasoft.
2. To answer it, I started by analyzing the .pcap file.
3. Found out that there are several request with POST method to `172.31.6.44`. The endpoint is `/bonita/loginservice`.
5
2022-06-02
Published
Exploited in the wild