Cyber Resilience

CVE-2024-13189

MediumPublic PoC

Published: 08 January 2025

Published
08 January 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0011 29.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13189 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Zerowdd Myblog. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13189 is a critical vulnerability in ZeroWdd myblog 1.0, affecting an unknown part of the file src/main/java/com/wdd/myblog/config/MyBlogMvcConfig.java. The issue stems from permission problems, mapped to CWE-266 and CWE-275, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). It was published on 2025-01-08.

The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Manipulation leads to permission issues, allowing limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L).

Details on the vulnerability, including the publicly disclosed exploit, are documented in GitHub issues at https://github.com/ZeroWdd/myblog/issues/1 and https://github.com/ZeroWdd/myblog/issues/1#issue-2759828006, as well as VulDB entries at https://vuldb.com/?ctiid.290781, https://vuldb.com/?id.290781, and https://vuldb.com/?submit.469223. No specific patch or mitigation details are provided in the available information.

EU & UK References

Vulnerability details

A vulnerability classified as critical has been found in ZeroWdd myblog 1.0. This affects an unknown part of the file src/main/java/com/wdd/myblog/config/MyBlogMvcConfig.java. The manipulation leads to permission issues. It is possible to initiate the attack remotely. The exploit has been disclosed…

more

to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Critical permission bypass in public-facing web application (ZeroWdd myblog MVC config) allows remote unauthenticated access to admin paths, enabling exploitation of public-facing application.

CVEs Like This One

CVE-2024-13191Same product: Zerowdd Myblog
CVE-2024-13133Same vendor: Zerowdd
CVE-2024-13134Same vendor: Zerowdd
CVE-2026-33519Shared CWE-266
CVE-2025-2548Shared CWE-266
CVE-2026-2549Shared CWE-266
CVE-2025-1226Shared CWE-266
CVE-2026-1962Shared CWE-266
CVE-2026-1597Shared CWE-266
CVE-2026-4194Shared CWE-266

Affected Assets

zerowdd
myblog
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly countering the permission bypass vulnerability in MyBlogMvcConfig.java.

preventdetect

Identifies, reports, and corrects the specific flaw causing permission issues (CWE-266, CWE-275), preventing remote exploitation of this CVE.

prevent

Employs least privilege to limit unauthorized access enabled by incorrect privilege assignments in the vulnerable MVC configuration.

References