CVE-2024-57757
Published: 15 January 2025
Description
Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable information.
Security Summary
CVE-2024-57757 is a permission bypass vulnerability, classified under CWE-862 (Missing Authorization), affecting JeeWMS versions prior to v2025.01.01. The flaw is located in the /interceptors/AuthInterceptor.cava component, enabling attackers to circumvent access controls. Published on 2025-01-15, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high severity due to its potential for significant confidentiality impacts.
Remote unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and without requiring user interaction. Successful exploitation allows bypassing authorization checks, granting access to sensitive data that should otherwise be restricted.
Mitigation is achieved by upgrading to JeeWMS v2025.01.01 or later. Further details are provided in the referenced advisory at https://gitee.com/erzhongxmu/JEEWMS/issues/IBFKBM.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Permission bypass in AuthInterceptor allows unauthenticated exploitation of public-facing web application (T1190) to access sensitive customer data via mdCusController.do, matching CRM software data collection (T1213.004).