CVE-2024-52302

common-user-management Unrestricted File Upload Leading to Remote Code Execution (RCE)

CVSS 8.7 HIGHEPSS 3.2%CWE-434

common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. There is a critical security vulnerability in the application endpoint /api/v1/customer/profile-picture. This endpoint allows file uploads without proper validation or restrictions, enabling attackers to upload malicious files that can lead to Remote Code Execution (RCE).

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

OsamaTaher · Java-springboot-codebase

public PoCs found — 3

githubgithub.com/d3sca/CVE-2024-52302★ 1 githubgithub.com/pream-totaram/CVE-2024-52302-reproduction★ 0 exploitdbwww.exploit-db.com/exploits/52206unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/OsamaTaher/Java-springboot-codebase/commit/204402bb8b68030c14911379ddc82cfff00b8538 https://github.com/OsamaTaher/Java-springboot-codebase/security/advisories/GHSA-rhcq-44g3-5xcx