Vulnerable HTTP Report

LAST UPDATED: 2023-03-22

This report identifies hosts that have the Hypertext Transfer Protocol (HTTP) service running on some port that may have a vulnerability.

It currently focuses on the following vulnerabilities:

- Zimbra Communication Suite – a CVE-2022-37042 vulnerability discovered by Volexity (blog published 2022-08-10) that allows for remote code execution, and has been exploited in the wild since at least June 2022. This vulnerability was patched in Zimbra releases ZCS 9.0.0 Patch 26 and ZCS 8.8.15 Patch 33, July 28th,2022. If you receive a report on an IP tagged cve-2022-37042 it is likely you are vulnerable to this exploit and possibly already compromised (which may involve a webshell being installed by an attacker). Please note we are making this assessment entirely on the ZCS build time, and tagging all versions earlier than 2022-07-26 build time as vulnerable. Hence, there is a possibility of false positives.
- HTTP hosts that implement Basic Authentication in plain HTTP. This is a security risk as credentials are transmitted in cleartext, without encryption. Enforce the use of HTTPS instead. Instances found will be tagged basic-auth in the report message.
- Exposed .git folders. We scan every IPv4 for with a GET /.git/config query. The tag in this case is git-config-file. For an overview of security risks associated with .git exposure and what actions you can take to mitigate the risk, please read “Unprotected .git folders on the internet pose a security risk” by NCSC CH.
- Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent), tagged as cve-2021-35587 allowing for unauthenticated remote code execution. If you get such an alert make sure to apply Oracle’s patches here.
- Likely AMI MegaRAC vulnerabilities – used by multiple vendors – as described in Eclypsium’s post “Supply Chain Vulnerabilities Put Server Ecosystem at Risk”. In this case we scan for exposed Redfish API endpoints, however we are not able to verify if these have been patched and thus not vulnerable anymore (CVE-2022-40259). Nevertheless, these should not be exposed to the public Internet. We tag these as megarac and potential-megarac. The difference in the tags reflects our confidence in identifying the device. If you get an alert make sure to apply your vendor’s latest patches!
- Fortinet CVE-2022-42475 (CVSS 9.8 RCE) based on Fortinet version scanning (where possible). These are tagged cve-2022-42475. If you get an alert make sure to apply the patch specified in the advisory.
- Citrix CVE-2022-27510 (CVSS 9.8 RCE) based on version information parsed from /vpn/index.html. These are tagged cve-2022-27510. If you get an alert make sure to apply the updates specified in the advisory. For additional background please read the Fox-IT article on remotely fingerprinting Citrix ADC and Gateway versions.
- VMware CVE-2021-21972 (remote code execution vulnerability in the vSphere Client, CVSS 9.8 RCE). These are tagged cve-2021-21972. Note: this check is version based. If you get an alert make sure to apply the updates specified in the advisory.
- Multiple VMware ESXi vulnerabilities: CVE-2021-21974 (CVSS 8.8), CVE-2020-3992 (CVSS 9.8), CVE-2019-5544 (CVSS 9.8) tagged as cve-2021-21974, cve-2020-3992, cve-2019-5544. As of 2023-02-06, it is possible they are being used in ransomware attacks as described in this CERT-FR advisory. Note: this check is version based. It is possible that these services have other mitigations in place. Nevertheless, if you receive an alert, we recommend to apply the latest VMware updates!
- Joomla CVE-2023-23752: An improper access check allows unauthorized access to webservice endpoints, affecting Joomla! CMS versions 4.0.0-4.2.7. While this has been given only a CVSS of 5.3, exploitation details are public and trivial, and many of the vulnerable endpoints disclose their actual unencrypted passwords. Make sure to update your Joomla instance as advised in their advisory [20230201] – Core – Improper access check in webservice endpoints. Tagged as cve-2023-23752.
- Geoserver CVE-2023-25157 (CVSS 9.8) and CVE-2022-24816 (CVSS 9.8). These are two unauthenticated RCE vulnerabilities in GeoServer, a popular open source software server written in Java that allows users to share and edit geospatial data. Make sure to apply the latest patches to your Geoserver instance! Tagged as cve-2023-25157 and cve-2022-24816.
- Jenkins CVE-2023-27898. CVE tagging is based on X-Jenkins header. LTS >= 2.270.0 < 2.375.4 or non-LTS >= 2.270 <= 2.393. Tagged as cve-2023-27898.

Other vulnerabilities may be added in the future to this report. As some of the assessments are version based, false positives may be possible. Please let us know if you believe that is the case for a report we sent you.

You can view results from our vulnerable HTTP scans in our Dashboard here.

For a report about all accessible HTTP hosts (including those without vulnerabilities) please see our Accessible HTTP Report.

For more information on our scanning efforts, check out our Internet scanning summary page.

This report has an IPv4 and IPv6 version.

Filename(s): scan_http_vulnerable, scan6_http_vulnerable

Fields

timestamp

Time that the IP was probed in UTC+0
ip

The IP address of the device in question
protocol

Protocol that the HTTP response came on (always TCP)
port

Port that the HTTP response came from
hostname

Reverse DNS name of the device in question
tag

Additional tag information about host, for example "basic-auth"
asn

ASN of where the device in question resides
geo

Country where the device in question resides
region

State / Province / Administrative region where the device in question resides
city

City in which the device in question resides
naics

North American Industry Classification System Code
sic

Standard Industrial Classification System Code
http

Hypertext Transfer Protocol Version
http_code

HTTP Response code: e.g., 200, 401, 404
http_reason

The text reason to go with the HTTP Code
content_type

The MIME type of the body of the request (used with POST and PUT requests)
connection

Control options for the current connection and list of hop-by-hop request fields
www_authenticate

Indicates the authentication scheme that should be used to access the requested entity
set_cookie

The HTTP Cookie to be set
server

HTTP Server type
content_length

The length of the response body in octets
transfer_encoding

The form of encoding used to safely transfer the entity to the user
http_date

The date and time that the message was sent
detail

Additional details, if any

Sample

"timestamp","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","sic","http","http_code","http_reason","content_type","connection","www_authenticate","set_cookie","server","content_length","transfer_encoding","http_date","version","build_date","detail"
"2010-02-10 00:00:00",192.168.0.1,tcp,8080,node01.example.com,"basic-auth,http",64512,ZZ,Region,City,0,0,HTTP/1.1,401,Unauthorized,"text/html; charset=utf-8",,"Basic realm=\"\"OpenWebif\"\"",TWISTED_SESSION=5473ad3faa3de66685fb3a53bffb390b4fcec2039893009a06caf38e1bec8aa8,TwistedWeb/19.7.0,149,,"Wed, 10 Feb 2010 00:00:00 GMT",,,
"2010-02-10 00:00:01",192.168.0.2,tcp,80,node02.example.com,"basic-auth,http",64512,ZZ,Region,City,0,0,HTTP/1.1,401,Unauthorized,"text/html; charset=utf-8",,"Basic realm=\"\"OpenWebif\"\"",TWISTED_SESSION=d2460d37b7fdbdd6c27dd74423ead5704e553d4f2c230672313edc5602059e33,TwistedWeb/19.7.0,149,,"Wed, 10 Feb 2010 00:00:01 GMT",,,
"2010-02-10 00:00:02",192.168.0.3,tcp,443,node03.example.com,git-config-file,64512,ZZ,Region,City,0,0,,,,,,,,,,,"Wed, 10 Feb 2010 00:00:02 GMT",,,"repositoryformatversion = 0;filemode = false;bare = false;logallrefupdates = true;symlinks = false;ignorecase = true;url = https://github.com/yundilee1973/suanni_4dxhjt434.git;fetch = +refs/heads/*:refs/remotes/origin/*"

Our 134 Report Types

« Back to Network Reporting