CVE-2024-13211
Published: 09 January 2025
Summary
CVE-2024-13211 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Singmr Houserent. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-13211 is a critical vulnerability in SingMR HouseRent version 1.0, affecting an unknown functionality within the file src/main/java/com/house/wym/controller/AdminController.java. The issue stems from improper access controls (CWE-266 and CWE-284), enabling unauthorized manipulation. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and was published on 2025-01-09.
A remote attacker with low privileges (PR:L) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized access or modifications due to the flawed access controls in the AdminController.
Advisories reference a GitHub issue (https://github.com/SingMR/HouseRent/issues/12) disclosing the vulnerability, along with VulDB entries (https://vuldb.com/?ctiid.290816, https://vuldb.com/?id.290816). No specific patches or mitigation steps are detailed in the provided references, but practitioners should review the GitHub issue for updates.
The exploit has been publicly disclosed and may be usable by attackers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51432
Vulnerability details
A vulnerability was found in SingMR HouseRent 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file src/main/java/com/house/wym/controller/AdminController.java. The manipulation leads to improper access controls. The attack may be launched remotely. The…
more
exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control in public-facing web app AdminController directly enables remote exploitation (T1190) and privilege escalation via unauthorized manipulation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for logical access to information and system resources, directly mitigating the improper access controls in AdminController.java that enable unauthorized remote manipulation.
Employs least privilege to ensure only necessary accesses are granted to low-privilege users, preventing exploitation of the flawed access controls by PR:L attackers.
Authorizes access to system resources based on defined personnel or roles, addressing the vulnerability's allowance of unauthorized actions in the AdminController.