CVE-2024-57761
Published: 15 January 2025
Summary
CVE-2024-57761 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Huayi-Tec Jeewms. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57761, published on 2025-01-15, is an arbitrary file upload vulnerability in the parserXML() method of JeeWMS versions before v2025.01.01. This issue, linked to CWE-434 (Unrestricted Upload of File with Dangerous Type), enables attackers to upload crafted files that result in arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
Exploitation requires low privileges (PR:L), making it feasible for authenticated users such as low-level account holders. Attackers can leverage the flaw remotely without user interaction by submitting a malicious file to the parserXML() method, achieving arbitrary code execution on the server. This grants high-level access to sensitive data and system modification capabilities, though it does not affect availability.
The advisory at https://gitee.com/erzhongxmu/JEEWMS/issues/IBFTZ7 details the issue, with mitigation achieved by upgrading to JeeWMS v2025.01.01 or later, which addresses the vulnerable parserXML() method.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53729
Vulnerability details
An arbitrary file upload vulnerability in the parserXML() method of JeeWMS before v2025.01.01 allows attackers to execute arbitrary code via uploading a crafted file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload (CWE-434) in a public-facing web app directly enables remote deployment of a web shell for code execution (T1190 + T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific flaw in the parserXML() method by applying the vendor patch to v2025.01.01 or later directly eliminates the arbitrary file upload vulnerability leading to code execution.
Validating the content of files uploaded to the parserXML() method ensures only expected, safe XML inputs are processed, blocking crafted files that enable arbitrary code execution.
Restricting file types and characteristics allowed for upload to the parserXML() method prevents submission of dangerous files that could result in arbitrary code execution.