CVE-2024-13139
Published: 05 January 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13139 is a server-side request forgery (SSRF) vulnerability, rated as critical, affecting wangl1989 mysiteforme version 1.0. The issue is located in the doContent function of the FileController class at src/main/java/com/mysiteform/admin/controller/system/FileController, where manipulation of the content argument triggers the SSRF. It is associated with CWE-918 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). The vulnerability was published on 2025-01-05.
An attacker can exploit this vulnerability remotely with low privileges, requiring no user interaction and low complexity. By manipulating the content argument, the attacker induces the server to make unintended requests, potentially leading to limited impacts on confidentiality, integrity, and availability.
Advisories and further details are documented in the project's GitHub repository at https://github.com/wangl1989/mysiteforme/issues/56 (including issue comment at #issue-2757876365) and on VulDB at https://vuldb.com/?ctiid.290213, https://vuldb.com/?id.290213, and https://vuldb.com/?submit.468513. The exploit has been disclosed publicly and may be used.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SSRF vulnerability (CVE-2024-13139) in public-facing web app enables initial access via exploitation of public-facing application (T1190), local file reads facilitating data from local system (T1005), and file and directory discovery (T1083).