JeeWMS 771e4f5d0c01ffdeae1671be4cf102b73a3fe644 (2025-05-19) contains incorrect authentication bypass vulnerability, which can lead to arbitrary file reading.
The vulnerability results from improper implementation of the authentication mechanism (CWE-287), which can be bypassed without providing correct login credentials. A remote attacker with no privileges and without user interaction is able to gain access to protected application resources. After bypassing authentication, it is possible to read any files available in the context of the application process.
An attacker can read arbitrary files on the server, which may lead to exposure of sensitive configuration data, passwords, private keys, or other sensitive information. Combined with high CVSS scores for confidentiality, integrity, and availability, system compromise can be extensive.
Patches available from the vendor should be applied according to references. The recommended action is to update to a version containing the fix described in issue IC8RPM in the Gitee repository. Until the patch is applied, consider restricting access to the application to trusted IP addresses only using a firewall or network access control mechanisms.
JeeWMS in the version corresponding to commit 771e4f5d0c01ffdeae1671be4cf102b73a3fe644 (2025-05-19)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJeewms
APPJeewms2025-05-19
Related vulnerabilities
SQL Injection w Jeewms v3.7 poprzez CgReportController API
Eskalacja uprawnień przez path traversal w Jeewms (AuthInterceptor)
JeeWMS before v2025.01.01 was discovered to contain a permission bypass in the component /interceptors/AuthInt...
Directory Traversal vulnerability in Jeewms v.3.7 and before allows a remote attacker to obtain sensitive info...
A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality ...