[FALSE-NEGATIVE] CVE-2024-3273

[Mzack9999]

Template IDs or paths

• CVE-2024-3273
• http/cves/2024/CVE-2024-3273.yaml

Steps To Reproduce

1. Run nuclei -t http/cves/2024/CVE-2024-3273.yaml -u <vulnerable-target>
2. Template fails to match on some vulnerable targets

Anything else?

The template uses matchers-condition: and requiring both <auth_state>1</auth_state> and a regex uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) in the body. Some vulnerable targets don't return the uid/gid output on the front end, causing false negatives.

Compare with https://github.com/Chocapikk/CVE-2024-3273 which successfully exploits the same targets.

Migrated from projectdiscovery/nuclei#5374.

[Akokonunes]

Hi @Mzack9999

We tested this template against multiple vulnerable D-Link targets and all matched correctly on both <auth_state>1</auth_state> and uid/gid regex. Could you share the specific target exhibiting the false negative with us at templates@projectdiscovery.io so we can investigate further?

[Mzack9999]

@Akokonunes I migrated this from projectdiscovery/nuclei#5374, the original reporter is @soevai. The gist is that the template requires both <auth_state>1</auth_state> and a uid=... gid=... regex to match, but some vulnerable targets don't return the uid/gid output. If the matchers look fine to you or you've already adjusted them, feel free to close this.

[Akokonunes]

Thanks @Mzack9999

Tested against multiple live targets, all matched correctly with the current matchers. The uid/gid output is consistently present in authenticated responses across tested firmware variants. Closing as not reproducible, but if you have a specific target where auth_state=1 returns without uid/gid, please share it at templates@projectdiscovery.io and we'll revisit.