cbcvebase.
CVE-2024-7314
published 2024-08-02

CVE-2024-7314: anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.47%
98.8th percentile
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

Affected

2 ranges
VendorProductVersion rangeFixed in
anji-plusaj-report< 1.4.11.4.1
anji-plusreport< 1.4.11.4.1

Detection & IOCsextracted from sources · hover to see the quote

url/dataSetParam/verification;swagger-ui/
commandfunction verification(data){a = new java.lang.ProcessBuilder("id").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}
path/dataSetParam/verification;swagger-ui/
yara
rule CVE_2024_7314_AJReport_AuthBypass_RCE { strings: $path = "/dataSetParam/verification;swagger-ui" $payload = "java.lang.ProcessBuilder" condition: $path and $payload }
sigma
title: CVE-2024-7314 AJ-Report Auth Bypass RCE
detection:
  selection:
    cs-method: POST
    cs-uri-stem|contains: '/dataSetParam/verification'
    cs-uri-stem|contains: ';swagger-ui'
  condition: selection
  • Look for HTTP POST requests to paths containing ';swagger-ui' as a suffix — this is the authentication bypass token appended to any protected endpoint.
  • The specific exploitation endpoint is POST /dataSetParam/verification;swagger-ui/ with a JSON body containing 'validationRules' key holding a Java script engine payload using java.lang.ProcessBuilder.
  • Detect script engine injection via the 'validationRules' field in the request body containing Java class references such as 'java.lang.ProcessBuilder' or 'java.io.BufferedReader'.
  • Successful exploitation returns a JSON response with Content-Type: application/json and a body matching 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)' — monitor for OS command output in AJ-Report API responses.
  • Active in-the-wild exploitation was confirmed; prioritize detection on internet-facing AJ-Report instances (FOFA: app="AJ-Report", Shodan: http.title:"AJ-Report").
  • ·The authentication bypass only works on versions strictly before 1.4.1; instances already upgraded are not vulnerable.
  • ·The bypass mechanism relies on appending ';swagger-ui' to any protected URL path — WAF/IDS rules should match the semicolon-delimited suffix pattern broadly, not just the specific PoC endpoint, to cover variant paths.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.