CVE-2024-57407
Published: 10 February 2025
Summary
CVE-2024-57407 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Gitee (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57407 is an arbitrary file upload vulnerability in the /userPicture component of Timo v2.0.3. Published on 2025-02-10, it allows attackers to execute arbitrary code by uploading a crafted file and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.
The attack scenario requires an attacker to have low privileges, such as an authenticated user, along with network access and user interaction to trigger the upload. By exploiting the /userPicture endpoint with a malicious file, the attacker can achieve arbitrary code execution on the server, compromising data confidentiality and integrity without affecting availability.
Advisories and further details on mitigation are provided in the following references: https://gist.github.com/kaoniniang2/71f6a39535490ea2eeac371f33faec9c and https://gitee.com/aun/Timo/issues/IBBTZI.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53578
Vulnerability details
An arbitrary file upload vulnerability in the component /userPicture of Timo v2.0.3 allows attackers to execute arbitrary code via uploading a crafted file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload (CWE-434) in a web app endpoint directly enables web shell deployment for RCE (T1505.003) and exploitation of the application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents arbitrary file upload exploits by requiring validation of uploaded file content, type, and format to block crafted malicious files in the /userPicture component.
SI-9 enforces strict restrictions on allowable file types, extensions, and sizes for uploads to the /userPicture endpoint, mitigating unrestricted upload of dangerous files leading to code execution.
SI-2 requires identification, reporting, and timely remediation of the specific flaw in Timo v2.0.3's /userPicture component, eliminating the vulnerability at its source.