CVE-2024-46479
Published: 13 January 2025
Summary
CVE-2024-46479 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Venki Supravizio Bpm. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Venki Supravizio BPM through version 18.0.1 contains an arbitrary file upload vulnerability tracked as CVE-2024-46479. The flaw, classified under CWE-434, permits an authenticated user to upload files of dangerous types to the application, which can then be executed on the server. The issue carries a CVSS 3.1 score of 9.9, reflecting network attack vector, low complexity, low privileges required, and high impact on confidentiality, integrity, and availability with changed scope.
An authenticated attacker can exploit the weakness by uploading a malicious file that the application subsequently processes or executes, resulting in remote code execution on the affected server. The current EPSS score of 0.0599 with a recorded peak of 0.0833 indicates modest and stable exploitation interest since disclosure. Public details are available in the referenced GitHub research repository and the vendor product page, though no specific patch or mitigation guidance is provided in the available sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-42192
Vulnerability details
Venki Supravizio BPM through 18.0.1 was discovered to contain an arbitrary file upload vulnerability. An authenticated attacker may upload a malicious file, leading to remote code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload vulnerability in Venki Supravizio BPM enables authenticated attackers to upload malicious files for remote code execution, directly facilitating exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly mitigates unrestricted file uploads by enforcing validation of file types, content, and attributes at input points to prevent dangerous files from being accepted.
SI-2 ensures timely identification, reporting, and correction of the specific arbitrary file upload flaw in Venki Supravizio BPM, eliminating the vulnerability.
SI-3 deploys malicious code protection at entry points to scan and block execution of dangerous uploaded files that could lead to RCE.