An issue in Jeewms v.3.7 and before allows a remote attacker to escalate privileges via the AuthInterceptor component.
The vulnerability is classified as CWE-22 (path traversal) and CWE-27, indicating improper validation of paths in the AuthInterceptor component responsible for access control. An attacker can craft an HTTP request containing a properly constructed path that allows bypassing authorization mechanisms. As a result, it is possible to gain access to resources or functions reserved for privileged users without possessing valid credentials.
An unauthenticated attacker can remotely escalate their privileges in the system, leading to complete compromise of confidentiality, integrity, and availability of data processed by the Jeewms application.
Apply patches available from the vendor according to the references. It is recommended to update to a version higher than 3.7 and restrict access to the application interface from external networks until the fix is applied.
Jeewms version 3.7 and all earlier versions
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJeewms
APPJeewms≤ 3.7
Related vulnerabilities
SQL Injection w Jeewms v3.7 poprzez CgReportController API
JeeWMS — pominięcie uwierzytelnienia umożliwiające odczyt plików
JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInt...
Directory Traversal vulnerability in Jeewms v.3.7 and before allows a remote attacker to obtain sensitive info...
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality ...