CVE-2024-13145 Overview
CVE-2024-13145 is an unrestricted file upload vulnerability in zhenfeng13 My-Blog 1.0, an open source Java-based blogging application. The flaw resides in the upload function of src/main/java/com/site/blog/my/core/controller/admin/uploadController.java. An authenticated attacker can manipulate the file parameter to upload arbitrary files to the server over the network. The issue has been publicly disclosed through GitHub and VulDB, increasing the likelihood of opportunistic abuse. The weakness is tracked under CWE-434 (Unrestricted Upload of File with Dangerous Type) and CWE-284 (Improper Access Control).
Critical Impact
Remote authenticated attackers can upload arbitrary files to a My-Blog 1.0 instance, enabling potential webshell deployment and follow-on compromise of the hosting environment.
Affected Products
- zhenfeng13 My-Blog 1.0
- Deployments using the vulnerable uploadController.java admin endpoint
- Self-hosted instances exposing the admin upload interface over the network
Discovery Timeline
- 2025-01-06 - CVE-2024-13145 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2024-13145
Vulnerability Analysis
The vulnerability stems from missing validation in the administrative upload handler. The upload function in uploadController.java accepts a file argument without enforcing restrictions on file type, extension, or content. An attacker who can authenticate to the admin interface can submit a crafted multipart request and place arbitrary files into the web-accessible directory.
Because the application is a Java web project typically deployed under a servlet container, an uploaded .jsp or other server-interpreted file can be requested back to achieve code execution in many real-world deployments. The exploit details have been published in the upstream GitHub issue tracker, lowering the barrier for reproduction.
Root Cause
The controller does not implement an allowlist of permitted file extensions or perform MIME-type verification on uploaded content. Combined with improper access control characteristics noted by CWE-284, the upload endpoint accepts dangerous file types and stores them in a location reachable by unauthenticated HTTP requests.
Attack Vector
The attack is launched remotely over HTTP. An attacker with low-privilege access to the admin interface sends a POST request to the vulnerable upload endpoint with a malicious payload in the file parameter. After upload, the attacker requests the stored file URL to trigger execution or exfiltrate hosted content. No user interaction is required beyond the attacker's own session.
No verified proof-of-concept code is published in authoritative repositories. Refer to the GitHub Issue Discussion and VulDB #290233 for technical details.
Detection Methods for CVE-2024-13145
Indicators of Compromise
- Unexpected files with executable extensions such as .jsp, .jspx, or .war written under the My-Blog upload directory.
- HTTP POST requests to the admin upload endpoint originating from unusual IP addresses or user agents.
- Outbound network connections initiated by the Java application process shortly after a successful upload.
- New administrator sessions immediately followed by file upload activity and access to newly created paths.
Detection Strategies
- Monitor web server access logs for POST requests to the upload controller followed by GET requests to newly created static paths.
- Hash and inventory files in the upload directory and alert on additions of server-executable file types.
- Inspect application logs for upload events lacking a corresponding administrative workflow.
Monitoring Recommendations
- Enable file integrity monitoring on the web root and upload directories of My-Blog deployments.
- Forward application, web server, and host telemetry to a centralized analytics platform for correlation.
- Alert on Java process spawning shell interpreters such as bash, sh, or cmd.exe, which often indicates post-upload webshell activity.
How to Mitigate CVE-2024-13145
Immediate Actions Required
- Restrict network access to the My-Blog admin interface using a reverse proxy, VPN, or IP allowlist.
- Rotate administrator credentials and review accounts with upload privileges.
- Audit the upload directory for unauthorized files and remove any unexpected server-executable content.
- Disable execution of scripts within upload directories at the servlet container or web server layer.
Patch Information
No official vendor patch is referenced in the NVD entry at the time of publication. Maintainers and downstream users should track the upstream GitHub Issue #141 for remediation updates and apply fixes that introduce an allowlist of permitted file extensions, randomize stored filenames, and validate MIME types server-side.
Workarounds
- Configure the servlet container to deny execution of .jsp and other server-interpreted files within the upload path.
- Place the application behind a web application firewall with rules that block uploads of executable file types.
- Move the upload storage location outside the web root and serve files through a controlled handler that sets safe content types.
- Require multi-factor authentication on administrator accounts to reduce the likelihood of unauthorized upload access.
# Example nginx configuration to block execution of uploaded scripts
location ^~ /upload/ {
types { }
default_type application/octet-stream;
add_header Content-Disposition "attachment";
location ~ \.(jsp|jspx|war|sh|php)$ {
deny all;
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
