{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-5353", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2024-05-25T05:37:03.889Z", "datePublished": "2024-05-26T04:00:04.861Z", "dateUpdated": "2024-08-01T21:11:12.555Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-05-26T04:00:04.861Z"}, "title": "anji-plus AJ-Report ZIP File decompress path traversal", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Path Traversal"}]}], "affected": [{"vendor": "anji-plus", "product": "AJ-Report", "versions": [{"version": "1.4.0", "status": "affected"}, {"version": "1.4.1", "status": "affected"}], "modules": ["ZIP File Handler"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in anji-plus AJ-Report up to 1.4.1. This affects the function decompress of the component ZIP File Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-266265 was assigned to this vulnerability."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in anji-plus AJ-Report bis 1.4.1 entdeckt. Sie wurde als kritisch eingestuft. Es betrifft die Funktion decompress der Komponente ZIP File Handler. Durch Beeinflussen mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "timeline": [{"time": "2024-05-25T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2024-05-25T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2024-05-25T07:42:23.000Z", "lang": "en", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.266265", "name": "VDB-266265 | anji-plus AJ-Report ZIP File decompress path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.266265", "name": "VDB-266265 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/anji-plus/report/issues/34", "tags": ["issue-tracking"]}, {"url": "https://github.com/anji-plus/report/files/15363269/aj-report.pdf", "tags": ["exploit"]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5353", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-28T15:17:18.461885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T18:02:48.640Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.555Z"}, "title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.266265", "name": "VDB-266265 | anji-plus AJ-Report ZIP File decompress path traversal", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.266265", "name": "VDB-266265 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://github.com/anji-plus/report/issues/34", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://github.com/anji-plus/report/files/15363269/aj-report.pdf", "tags": ["exploit", "x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://vuldb.com/?id.266265", "name": "VDB-266265 | anji-plus AJ-Report ZIP File decompress path traversal", "tags": ["vdb-entry", "technical-description", "x_transferred"]}, {"url": "https://vuldb.com/?ctiid.266265", "name": "VDB-266265 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required", "x_transferred"]}, {"url": "https://github.com/anji-plus/report/issues/34", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://github.com/anji-plus/report/files/15363269/aj-report.pdf", "tags": ["exploit", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:11:12.555Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-5353", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-05-28T15:17:18.461885Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-28T15:17:46.352Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "anji-plus AJ-Report ZIP File decompress path traversal", "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "affected": [{"vendor": "anji-plus", "modules": ["ZIP File Handler"], "product": "AJ-Report", "versions": [{"status": "affected", "version": "1.4.0"}, {"status": "affected", "version": "1.4.1"}]}], "timeline": [{"lang": "en", "time": "2024-05-25T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2024-05-25T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2024-05-25T07:42:23.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.266265", "name": "VDB-266265 | anji-plus AJ-Report ZIP File decompress path traversal", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.266265", "name": "VDB-266265 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://github.com/anji-plus/report/issues/34", "tags": ["issue-tracking"]}, {"url": "https://github.com/anji-plus/report/files/15363269/aj-report.pdf", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in anji-plus AJ-Report up to 1.4.1. This affects the function decompress of the component ZIP File Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-266265 was assigned to this vulnerability."}, {"lang": "de", "value": "Es wurde eine Schwachstelle in anji-plus AJ-Report bis 1.4.1 entdeckt. Sie wurde als kritisch eingestuft. Es betrifft die Funktion decompress der Komponente ZIP File Handler. Durch Beeinflussen mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Path Traversal"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2024-05-26T04:00:04.861Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5353", "state": "PUBLISHED", "dateUpdated": "2024-08-01T21:11:12.555Z", "dateReserved": "2024-05-25T05:37:03.889Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2024-05-26T04:00:04.861Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anji-plus:aj-report:*:*:*:*:*:*:*:*", "matchCriteriaId": "411B7B4B-C8B0-4F83-8D2B-FED869E306BA", "versionEndIncluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability classified as critical has been found in anji-plus AJ-Report up to 1.4.1. This affects the function decompress of the component ZIP File Handler. The manipulation leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-266265 was assigned to this vulnerability."}, {"lang": "es", "value": "Una vulnerabilidad ha sido encontrada en anji-plus AJ-Report hasta 1.4.1 y clasificada como cr\u00edtica. Esto afecta la funci\u00f3n descomprimir del componente ZIP File Handler. La manipulaci\u00f3n conduce a path traversal. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al p\u00fablico y puede utilizarse. A esta vulnerabilidad se le asign\u00f3 el identificador VDB-266265."}], "id": "CVE-2024-5353", "lastModified": "2025-03-01T02:33:14.063", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2024-05-26T04:15:08.350", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit"], "url": "https://github.com/anji-plus/report/files/15363269/aj-report.pdf"}, {"source": "cna@vuldb.com", "tags": ["Broken Link"], "url": "https://github.com/anji-plus/report/issues/34"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.266265"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?id.266265"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/anji-plus/report/files/15363269/aj-report.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "https://github.com/anji-plus/report/issues/34"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.266265"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?id.266265"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}