CVE-2024-46479
Published: 13 January 2025
Summary
CVE-2024-46479 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Venki Supravizio Bpm. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly mitigates unrestricted file uploads by enforcing validation of file types, content, and attributes at input points to prevent dangerous files from being accepted.
SI-2 ensures timely identification, reporting, and correction of the specific arbitrary file upload flaw in Venki Supravizio BPM, eliminating the vulnerability.
SI-3 deploys malicious code protection at entry points to scan and block execution of dangerous uploaded files that could lead to RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in Venki Supravizio BPM enables authenticated attackers to upload malicious files for remote code execution, directly facilitating exploitation of a public-facing application.
NVD Description
Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.
Deeper analysisAI
CVE-2024-46479 is an arbitrary file upload vulnerability affecting Venki Supravizio BPM through version 18.0.1. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), allows an authenticated attacker to upload a malicious file, potentially leading to remote code execution on the targeted system. The vulnerability was published on 2025-01-13 and carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, low privileges required, and high impact across confidentiality, integrity, and availability with a changed scope.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network without user interaction. By uploading a specially crafted malicious file through the affected component, the attacker achieves remote code execution, enabling full system compromise including data theft, modification, or further lateral movement within the environment.
Details on the vulnerability, including research findings, are documented in advisories available at https://github.com/Lorenzo-de-Sa/Vulnerability-Research and https://github.com/Lorenzo-de-Sa/Vulnerability-Research/blob/main/CVE-2024-46479.md, with the vendor page at https://www.venki.com.br/ferramenta-bpm/supravizio/. No specific patch or mitigation guidance is detailed in the available CVE information.
Details
- CWE(s)