Skip to content

fix(CVE-2022-21587): add matchers-condition: and to prevent false positive detection#15621

Merged
pussycat0x merged 2 commits intoprojectdiscovery:mainfrom
Eren-Akdag:fix/CVE-2022-21587-false-positive
Mar 18, 2026
Merged

fix(CVE-2022-21587): add matchers-condition: and to prevent false positive detection#15621
pussycat0x merged 2 commits intoprojectdiscovery:mainfrom
Eren-Akdag:fix/CVE-2022-21587-false-positive

Conversation

@Eren-Akdag
Copy link
Copy Markdown
Contributor

@Eren-Akdag Eren-Akdag commented Mar 17, 2026

PR Information

  • Fixed CVE-2022-21587 — Oracle E-Business Suite Unauthenticated RCE template produces false positives due to missing matchers-condition: and in Step 2

What changed and why:

The second HTTP request block contained two independent matchers without an explicit matchers-condition. Nuclei's default behavior evaluates multiple matchers with OR logic — meaning either matcher alone is sufficient to trigger a finding.

Matcher Type Before Fix
UUID word match in body word OR — either is enough
HTTP status 200 status OR — either is enough

Because status: 200 alone was sufficient, any host returning HTTP 200 at /forms/taint.jsp — regardless of body content — would incorrectly trigger a critical severity finding. The JSP execution proof (UUID) was effectively bypassed.

Fix applied:

Added matchers-condition: and to the second HTTP request block. Now both conditions must be satisfied simultaneously:

  1. Response body must contain 061ea306-46ef-11f0-ad94-f3d183b0689a — proves JSP was uploaded AND executed by the server
  2. HTTP status must be 200

Before:

matchers:
  - type: word
    part: body
    words:
      - '061ea306-46ef-11f0-ad94-f3d183b0689a'
  - type: status
    status:
      - 200

After:

matchers-condition: and
matchers:
  - type: word
    part: body
    words:
      - '061ea306-46ef-11f0-ad94-f3d183b0689a'
  - type: status
    status:
      - 200

Template validation

  • Validated with a host running a vulnerable version and/or configuration (True Positive)
  • Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

False Positive — nuclei -debug output before fix (host info redacted per contribution guidelines)

The target below is not running Oracle EBS. It is a different application that returns HTTP 200 + text/xml for all requests, including non-existent paths such as /forms/taint.jsp.

Step 1 incorrectly passes because the upload endpoint returns a generic XML error response that still satisfies text/xml + status 200. Step 2 then fires on status: 200 alone — nuclei reports [CVE-2022-21587:status-2], confirming only the status matcher triggered and the UUID was never present in the response body.

Step 1 — POST /OA_HTML/BneOfflineLOVService

Request:

POST /OA_HTML/BneOfflineLOVService?bne:uueupload=true HTTP/1.1
Host: [REDACTED]
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZsMro0UsAQYLDZGv
...

Response:

HTTP/1.1 200 OK
Content-Type: text/xml;charset=utf-8

<?xml version="1.0" encoding="UTF-8" ?>
<Response>
  <retcode>-2</retcode>
  <desc>[REDACTED]</desc>
  <errorCode>[REDACTED]</errorCode>
</Response>

Step 1 matcher result: PASS (incorrect) — text/xml present + status 200, but upload was rejected by the server.

Step 2 — GET /forms/taint.jsp

Request:

GET /forms/taint.jsp HTTP/1.1
Host: [REDACTED]

Response:

HTTP/1.1 200 OK
Content-Type: text/xml;charset=utf-8

<?xml version="1.0" encoding="UTF-8" ?>
<Response>
  <retcode>-2</retcode>
  <desc>[REDACTED]</desc>
  <errorCode>[REDACTED]</errorCode>
</Response>

Step 2 matcher result: PASS (incorrect) — UUID not in body, status 200 alone triggered the finding.

[CVE-2022-21587:status-2] [http] [critical] https://[REDACTED]/forms/taint.jsp
[INF] Scan completed in 1.887s. 1 matches found.

Note: :status-2 is nuclei's internal notation indicating only the 2nd matcher (status) fired. The UUID word matcher never matched.

After fix — same host, false positive eliminated:

[INF] Scan completed in 1.495s. 0 matches found.

Summary:

Scenario Before Fix After Fix
Non-Oracle host returning HTTP 200 at /forms/taint.jsp ❌ False Positive ✅ No finding
Oracle EBS host — JSP upload succeeds and executes ✅ True Positive ✅ True Positive

nuclei version: v3.7.0

Additional References:

@neo-by-projectdiscovery-dev
Copy link
Copy Markdown

neo-by-projectdiscovery-dev bot commented Mar 17, 2026
edited
Loading

Neo - Nuclei Template Review

No security issues found

Highlights

  • Added two new contributors to author field: dogasantos and s4e-io
  • Added AttackerKB reference link for additional vulnerability context
  • Updated EPSS percentile from 0.99974 to 0.99975 (minor metric update)
Hardening Notes
  • The diff between commits shows only 6 lines changed (3 additions, 3 deletions), all in the info metadata section
  • The AttackerKB reference provides valuable Rapid7 analysis context for security researchers
  • Template structure, matchers, and RCE detection logic remain identical to the previously approved version

Comment @pdneo help for available commands. · Open in Neo

@github-actions github-actions bot requested a review from pussycat0x March 17, 2026 06:51
@Akokonunes Akokonunes added the Done Ready to merge label Mar 18, 2026
@pussycat0x pussycat0x merged commit 3e1efa0 into projectdiscovery:main Mar 18, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pussycat0x pussycat0x pussycat0x approved these changes

Assignees

@Akokonunes Akokonunes

Labels

Done Ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Eren-Akdag @pussycat0x @Akokonunes