CVE-2024-7314

anji-plus AJ-Report Authentication Bypass

CVSS 9.8 CRITICALEPSS 51.5%CWE-288

anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

anji-plus · AJ-Report

public PoCs found — 3

cve_referencegithub.com/vulhub/vulhub/tree/master/aj-report/CNVD-2024-15077unverified cve_referencegithub.com/yuebusao/AJ-REPORT-EXPLOITunverified cve_referencexz.aliyun.com/t/14460unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/vulhub/vulhub/tree/master/aj-report/CNVD-2024-15077 https://github.com/yuebusao/AJ-REPORT-EXPLOIT https://vulncheck.com/advisories/aj-report-swagger https://xz.aliyun.com/t/14460