From ea5289974795b4ebbdb539141c75e70131961674 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:19:40 +0200 Subject: [PATCH 1/4] Add vpatch-CVE-2023-29357 rule --- .../crowdsecurity/vpatch-CVE-2023-29357.yaml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 appsec-rules/crowdsecurity/vpatch-CVE-2023-29357.yaml diff --git a/appsec-rules/crowdsecurity/vpatch-CVE-2023-29357.yaml b/appsec-rules/crowdsecurity/vpatch-CVE-2023-29357.yaml new file mode 100644 index 00000000000..c8c160f9e05 --- /dev/null +++ b/appsec-rules/crowdsecurity/vpatch-CVE-2023-29357.yaml @@ -0,0 +1,42 @@ +## autogenerated on 2026-04-08 13:19:37 +name: crowdsecurity/vpatch-CVE-2023-29357 +description: 'Detects authentication bypass in Microsoft SharePoint via forged JWT with "none" algorithm.' +rules: + - and: + - zones: + - URI + transform: + - lowercase + match: + type: contains + value: /_api/web/siteusers + - zones: + - HEADERS + variables: + - authorization + transform: + - lowercase + match: + type: contains + value: 'bearer ' + - zones: + - HEADERS + variables: + - authorization + transform: + - lowercase + match: + type: contains + value: 'none' + +labels: + type: exploit + service: http + confidence: 3 + spoofable: 0 + behavior: 'http:exploit' + label: 'Microsoft SharePoint - Authentication Bypass' + classification: + - cve.CVE-2023-29357 + - attack.T1552 + - cwe.CWE-287 From 07e264e3ce4a614907054d72535c0cf7b7179f6d Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:19:42 +0200 Subject: [PATCH 2/4] Add vpatch-CVE-2023-29357 test config --- .appsec-tests/vpatch-CVE-2023-29357/config.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2023-29357/config.yaml diff --git a/.appsec-tests/vpatch-CVE-2023-29357/config.yaml b/.appsec-tests/vpatch-CVE-2023-29357/config.yaml new file mode 100644 index 00000000000..fe66758c014 --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2023-29357/config.yaml @@ -0,0 +1,5 @@ +## autogenerated on 2026-04-08 13:19:37 +appsec-rules: + - ./appsec-rules/crowdsecurity/base-config.yaml + - ./appsec-rules/crowdsecurity/vpatch-CVE-2023-29357.yaml +nuclei_template: CVE-2023-29357.yaml From 66a7794c690f7d18e4ba401d9448b2a465ba5e25 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:19:44 +0200 Subject: [PATCH 3/4] Add CVE-2023-29357.yaml test --- .../vpatch-CVE-2023-29357/CVE-2023-29357.yaml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .appsec-tests/vpatch-CVE-2023-29357/CVE-2023-29357.yaml diff --git a/.appsec-tests/vpatch-CVE-2023-29357/CVE-2023-29357.yaml b/.appsec-tests/vpatch-CVE-2023-29357/CVE-2023-29357.yaml new file mode 100644 index 00000000000..617d5b5752d --- /dev/null +++ b/.appsec-tests/vpatch-CVE-2023-29357/CVE-2023-29357.yaml @@ -0,0 +1,21 @@ +## autogenerated on 2026-04-08 13:19:37 +id: CVE-2023-29357 +info: + name: CVE-2023-29357 + author: crowdsec + severity: info + description: CVE-2023-29357 testing + tags: appsec-testing +http: + - raw: + - | + GET /_api/web/siteusers HTTP/1.1 + Host: {{Hostname}} + Accept: application/json + Authorization: Bearer {{generate_jwt("{\"aud\":\"00000003-0000-0ff1-ce00-000000000000@realm\",\"iss\":\"00000003-0000-0ff1-ce00-000000000000\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"00000003-0000-0ff1-ce00-000000000000@realm\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA + X-PROOF_TOKEN: {{generate_jwt("{\"aud\":\"00000003-0000-0ff1-ce00-000000000000@realm\",\"iss\":\"00000003-0000-0ff1-ce00-000000000000\",\"nbf\":1695987703,\"exp\":2011547223,\"ver\":\"hashedprooftoken\",\"nameid\":\"00000003-0000-0ff1-ce00-000000000000@realm\",\"endpointurl\":\"qqlAJmTxpB9A67xSyZk+tmrrNmYClY/fqig7ceZNsSM=\",\"endpointurlLength\":1,\"isloopback\":true}","none")}}AAA + cookie-reuse: true + matchers: + - type: status + status: + - 403 From 300fc1380989ef9a52d4b3131a4ff51c971daca8 Mon Sep 17 00:00:00 2001 From: crowdsec-automation <63358111+crowdsec-automation@users.noreply.github.com> Date: Wed, 8 Apr 2026 15:19:46 +0200 Subject: [PATCH 4/4] Add vpatch-CVE-2023-29357 rule to vpatch collection --- collections/crowdsecurity/appsec-virtual-patching.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/collections/crowdsecurity/appsec-virtual-patching.yaml b/collections/crowdsecurity/appsec-virtual-patching.yaml index 7ccf9a8bf03..0d57cf87ebb 100644 --- a/collections/crowdsecurity/appsec-virtual-patching.yaml +++ b/collections/crowdsecurity/appsec-virtual-patching.yaml @@ -146,6 +146,7 @@ appsec-rules: - crowdsecurity/vpatch-CVE-2025-2611 - crowdsecurity/vpatch-CVE-2022-24086 - crowdsecurity/vpatch-CVE-2021-32478 +- crowdsecurity/vpatch-CVE-2023-29357 - crowdsecurity/vpatch-CVE-2021-26072 - crowdsecurity/vpatch-CVE-2025-55748 - crowdsecurity/vpatch-CVE-2022-25322