CVE-2024-13201
Published: 09 January 2025
Summary
CVE-2024-13201 is a medium-severity Improper Access Control (CWE-284) vulnerability in Wander-Chu Springboot-Blog. Its CVSS base score is 4.7 (Medium).
Operationally, ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates the manipulated 'file' argument in the Admin Attachment Handler to block unrestricted upload of arbitrary dangerous files.
Restricts file types, sizes, and characteristics allowable in the upload function of AttachtController.java to prevent exploitation of CWE-434.
Requires timely identification, reporting, and correction of the unrestricted upload flaw in src/main/java/com/my/blog/website/controller/admin/AttachtController.java.
NVD Description
A vulnerability has been found in wander-chu SpringBoot-Blog 1.0 and classified as critical. This vulnerability affects the function upload of the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java of the component Admin Attachment Handler. The manipulation of the argument file leads to unrestricted upload. The…
more
attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2024-13201 is an unrestricted file upload vulnerability in wander-chu SpringBoot-Blog version 1.0. It affects the upload function within the Admin Attachment Handler component, specifically the file src/main/java/com/my/blog/website/controller/admin/AttachtController.java. An attacker can manipulate the 'file' argument to upload arbitrary files, classified as critical with associated CWEs-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability has a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability can be exploited remotely by an authenticated attacker with high privileges, such as an admin user. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling the upload of malicious files that could lead to further compromise depending on server configuration and file handling.
Advisories from VulDB and the project's GitHub repository (wander-chu/SpringBoot-Blog issues #6) detail the issue, including a public proof-of-concept exploit. The vendor was contacted early but has not responded or issued patches, leaving affected instances unmitigated.
The exploit has been publicly disclosed and may be actively used, with no evidence of vendor remediation as of the CVE publication on 2025-01-09.
Details
- CWE(s)