Cyber Resilience

CVE-2024-12347

Medium

Published: 09 December 2024

Published
09 December 2024
Modified
11 September 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 58.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12347 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Huayi-Tec Jeewms. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A vulnerability was found in Guangzhou Huayi Intelligent Technology Jeewms up to 1.0.0 and classified as critical. This issue affects some unknown processing of the file /jeewms_war/webpage/system/druid/index.html of the component Druid Monitoring Interface. The manipulation leads to improper authorization. The…

more

attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1049 System Network Connections Discovery Discovery
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Improper authorization in the Druid monitoring interface (/jeewms_war/webpage/system/druid/index.html) allows remote unauthenticated access, enabling exploitation of a public-facing web application (T1190) and facilitating discovery of network services via data sources (T1046), active network connections (T1049), and system information via monitoring metrics (T1082).

Affected Assets

huayi-tec
jeewms
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-285 CWE-266

Documented procedures facilitate correct implementation and ongoing management of authorization decisions.

addresses: CWE-285 CWE-266

Periodic reviews identify and correct flaws in authorization decisions or enforcement.

addresses: CWE-285 CWE-266

Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions.

addresses: CWE-266 CWE-285

The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement.

addresses: CWE-266 CWE-285

Ensures privileges are assigned only as necessary rather than incorrectly over-granted.

addresses: CWE-285

The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication.

addresses: CWE-285

Establishing permitted attributes and values, plus auditing changes, ensures authorization decisions are based on correctly managed policy data.

addresses: CWE-285

Explicitly mandates authorizing remote access types before permitting connections, directly mitigating improper authorization.

References