Cyber Posture

CVE-2024-13189

HighPublic PoC

Published: 08 January 2025

Published
08 January 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0008 24.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13189 is a critical vulnerability in ZeroWdd myblog 1.0, affecting an unknown part of the file src/main/java/com/wdd/myblog/config/MyBlogMvcConfig.java. The issue stems from permission problems, mapped to CWE-266 and CWE-275, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). It was published on 2025-01-08.

The vulnerability enables remote exploitation by unauthenticated attackers (PR:N) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Manipulation leads to permission issues, allowing limited impacts on confidentiality, integrity, and availability (C:L/I:L/A:L).

Details on the vulnerability, including the publicly disclosed exploit, are documented in GitHub issues at https://github.com/ZeroWdd/myblog/issues/1 and https://github.com/ZeroWdd/myblog/issues/1#issue-2759828006, as well as VulDB entries at https://vuldb.com/?ctiid.290781, https://vuldb.com/?id.290781, and https://vuldb.com/?submit.469223. No specific patch or mitigation details are provided in the available information.

Details

CWE(s)
CWE-266CWE-275NVD-CWE-noinfo

Affected Products

zerowdd
myblog
1.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Critical permission bypass in public-facing web application (ZeroWdd myblog MVC config) allows remote unauthenticated access to admin paths, enabling exploitation of public-facing application.

References