CVE-2024-7314

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions anji-plus AJ-Report versions <= 1.4.0

Description The issue allows a remote and unauthenticated attacker to bypass authentication by appending ";swagger-ui" to HTTP requests, potentially executing arbitrary Java on the victim server. This is due to improper handling of insufficient permissions via the /swagger-ui endpoint.

Recommendations For anji-plus AJ-Report versions <= 1.4.0, upgrade immediately to mitigate the risk of remote exploit. As a temporary workaround, consider restricting access to the /swagger-ui endpoint to minimize the risk of exploitation.

Exploit

Fix

RCE

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288CWE-280

Related Identifiers

CVE-2024-7314

Affected Products

Anji-Plus Aj-Report

CVE-2024-7314

Weakness Enumeration

Related Identifiers

Affected Products

References · 13