CVE-2024-7314
published 2024-08-02CVE-2024-7314: anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.47%
98.8th percentile
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| anji-plus | aj-report | < 1.4.1 | 1.4.1 |
| anji-plus | report | < 1.4.1 | 1.4.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandfunction verification(data){a = new java.lang.ProcessBuilder("id").start().getInputStream();r=new java.io.BufferedReader(new java.io.InputStreamReader(a));ss='';while((line = r.readLine()) != null){ss+=line};return ss;}↗
yara
rule CVE_2024_7314_AJReport_AuthBypass_RCE { strings: $path = "/dataSetParam/verification;swagger-ui" $payload = "java.lang.ProcessBuilder" condition: $path and $payload }sigma
title: CVE-2024-7314 AJ-Report Auth Bypass RCE
detection:
selection:
cs-method: POST
cs-uri-stem|contains: '/dataSetParam/verification'
cs-uri-stem|contains: ';swagger-ui'
condition: selection- →Look for HTTP POST requests to paths containing ';swagger-ui' as a suffix — this is the authentication bypass token appended to any protected endpoint. ↗
- →The specific exploitation endpoint is POST /dataSetParam/verification;swagger-ui/ with a JSON body containing 'validationRules' key holding a Java script engine payload using java.lang.ProcessBuilder. ↗
- →Detect script engine injection via the 'validationRules' field in the request body containing Java class references such as 'java.lang.ProcessBuilder' or 'java.io.BufferedReader'. ↗
- →Successful exploitation returns a JSON response with Content-Type: application/json and a body matching 'uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)' — monitor for OS command output in AJ-Report API responses. ↗
- →Active in-the-wild exploitation was confirmed; prioritize detection on internet-facing AJ-Report instances (FOFA: app="AJ-Report", Shodan: http.title:"AJ-Report"). ↗
- ·The authentication bypass only works on versions strictly before 1.4.1; instances already upgraded are not vulnerable. ↗
- ·The bypass mechanism relies on appending ';swagger-ui' to any protected URL path — WAF/IDS rules should match the semicolon-delimited suffix pattern broadly, not just the specific PoC endpoint, to cover variant paths. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-29j3-7mhp-wmwm: anji-plus AJ-Report is affected by an authentication bypass vulnerability
ghsa_unreviewed·2024-08-02
CVE-2024-7314 [CRITICAL] CWE-280 GHSA-29j3-7mhp-wmwm: anji-plus AJ-Report is affected by an authentication bypass vulnerability
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server.
VulnCheck
anji-plus report Authentication Bypass Using an Alternate Path or Channel
vulncheck·2024·CVSS 9.8
CVE-2024-7314 [CRITICAL] anji-plus report Authentication Bypass Using an Alternate Path or Channel
anji-plus report Authentication Bypass Using an Alternate Path or Channel
anji-plus AJ-Report is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java on the victim server. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
Affected: anji-plus report
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.greynoise.io/blog/coordinated-cloud-based-scanning-operation-targets-75-known-exposure-points; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-7314&date=2025-10-17; http
No detection rules found.
Nuclei
AJ-Report < 1.4.1 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2024-7314 [CRITICAL] AJ-Report < 1.4.1 - Remote Code Execution
AJ-Report < 1.4.1 - Remote Code Execution
AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules functionality.
Template:
id: CVE-2024-7314
info:
name: AJ-Report < 1.4.1 - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rules fu
2024-08-02
Published
Exploited in the wild