CVE-2024-57604
Published: 12 February 2025
Summary
CVE-2024-57604 is a critical-severity Incorrect Default Permissions (CWE-276) vulnerability in Mayswind Ezbookkeeping. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-57604 is a privilege escalation vulnerability affecting MaysWind ezBookkeeping version 0.7.0, specifically within the token component. The issue, classified under CWE-276, enables a remote attacker to elevate privileges. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and high impacts on confidentiality, integrity, and availability.
A remote attacker without prior privileges can exploit this vulnerability over the network with minimal complexity and no user interaction. Successful exploitation allows privilege escalation, potentially granting unauthorized access to sensitive functions or data within the affected ezBookkeeping instance, leading to high-level compromise of confidentiality, integrity, and availability.
Advisories and discussions are available in referenced sources, including a GitHub issue at https://github.com/mayswind/ezbookkeeping/issues/33 and additional details at https://hkohi.ca/vulnerability/2, which may provide further guidance on patches or mitigations. The vulnerability was published on 2025-02-12.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53641
Vulnerability details
An issue in MaysWind ezBookkeeping 0.7.0 allows a remote attacker to escalate privileges via the token component.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability lacks rate limiting on login and 2FA backup code endpoints, enabling remote brute force attacks to guess credentials and bypass authentication for account takeover and privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely identification, reporting, and remediation of the privilege escalation flaw in the ezBookkeeping token component.
Counters privilege escalation by enforcing least privilege, restricting unauthorized access even if the token component is exploited.
Requires the system to enforce approved access authorizations, preventing the remote unauthenticated privilege escalation via improper token handling.