CVE-2024-7314
Published: 02 August 2024
Summary
CVE-2024-7314 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Anji-Plus Report. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
anji-plus AJ-Report contains an authentication bypass vulnerability tracked as CVE-2024-7314. The flaw allows a remote attacker to append the string ";swagger-ui" to HTTP requests, which circumvents authentication controls and permits execution of arbitrary Java code on the server. The issue carries a CVSS 3.1 score of 9.8 and is associated with CWE-288.
A remote unauthenticated attacker can exploit the weakness over the network without user interaction to gain full control of the affected AJ-Report instance, including the ability to read, modify, or delete data and execute operating-system commands. The same technique has been packaged in public proof-of-concept code.
Exploitation of the vulnerability was observed in the wild by the Shadowserver Foundation on 2025-02-05 UTC. The EPSS score reached a peak of 0.7458 and remains at that level, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-48255
Vulnerability details
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Exploitation evidence was observed by the Shadowserver Foundation on…
more
2025-02-05 UTC.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-7314 is an authentication bypass in a public-facing web application (anji-plus AJ-Report) that allows unauthenticated remote attackers to append ';swagger-ui' to requests, gaining access to execute arbitrary Java code (RCE), directly enabling exploitation of public-facing applications.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.
Users can identify logons via alternate paths or channels by reviewing the previous logon time.
Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths.
Centralized IdPs close alternate authentication paths that enable bypass.
Enforces authentication for non-organizational users, making it harder to bypass via alternate paths or channels.
Requires authentication to occur exclusively over the isolated trusted path, directly preventing bypass via alternate or untrusted channels.