Sigma rules for CVE-2021-22060
2 rules · scoped to cve · back to CVE-2021-22060
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Potential SpEL Injection In Spring Framework
id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
status: test
description: Detects potential SpEL Injection exploitation, which may lead to RCE.
references:
- https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
- https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
author: Moti Harmats
date: 2023-02-11
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
detection:
keywords:
- 'org.springframework.expression.ExpressionException'
condition: keywords
falsepositives:
- Application bugs
level: high
title: Spring Framework Exceptions
id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
status: stable
description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
references:
- https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html
author: Thomas Patzke
date: 2017-08-06
modified: 2020-09-01
tags:
- attack.initial-access
- attack.t1190
logsource:
category: application
product: spring
detection:
keywords:
- AccessDeniedException
- CsrfException
- InvalidCsrfTokenException
- MissingCsrfTokenException
- CookieTheftException
- InvalidCookieException
- RequestRejectedException
condition: keywords
falsepositives:
- Application bugs
level: medium