CVE-2024-5352 Overview
CVE-2024-5352 is an insecure deserialization vulnerability [CWE-502] affecting anji-plus AJ-Report versions up to 1.4.1. The flaw resides in the validationRules function of the DataSetParamController#verification component, specifically within com.anjiplus.template.gaea.business.modules.datasetparam.controller.DataSetParamController. Attackers can exploit this issue remotely over the network with low privileges and no user interaction. The exploit details have been publicly disclosed, increasing the likelihood of opportunistic attacks against exposed instances. AJ-Report is an open-source data visualization and reporting platform used in enterprise dashboards.
Critical Impact
Authenticated remote attackers can trigger deserialization of untrusted input through the dataset parameter validation endpoint, potentially leading to arbitrary object instantiation and code execution on the server.
Affected Products
- anji-plus AJ-Report versions up to and including 1.4.1
- Component: DataSetParamController#verification
- Function: validationRules
Discovery Timeline
- 2024-05-26 - CVE-2024-5352 published to NVD
- 2025-03-01 - Last updated in NVD database
Technical Details for CVE-2024-5352
Vulnerability Analysis
The vulnerability stems from unsafe deserialization of attacker-controlled input in the AJ-Report dataset parameter validation workflow. The validationRules method within DataSetParamController processes serialized data without enforcing type restrictions or validating the integrity of the input stream. When a crafted payload is supplied to the verification endpoint, the application reconstructs Java objects from the serialized bytes. This object reconstruction can invoke gadget chains present on the classpath, leading to unintended side effects during deserialization. The attack requires network access and low-level authentication, but no user interaction is necessary.
Root Cause
The root cause is the absence of safe deserialization controls in the dataset parameter validation logic. AJ-Report invokes Java deserialization routines on user-supplied data without using an allowlist of permitted classes or a hardened object input filter. This pattern aligns with [CWE-502: Deserialization of Untrusted Data].
Attack Vector
An attacker with low-privileged access sends a crafted HTTP request to the validationRules endpoint exposed by DataSetParamController. The request body carries a malicious serialized object. AJ-Report deserializes the payload during parameter verification, triggering gadget execution. Public disclosure of the exploit lowers the barrier to weaponization. Refer to the GitHub Report Document and the GitHub Issue Tracker for technical specifics on the affected endpoint.
Detection Methods for CVE-2024-5352
Indicators of Compromise
- Unexpected POST requests to AJ-Report dataset parameter endpoints, particularly paths invoking validationRules or verification actions.
- Java process spawning child processes such as shells, cmd.exe, or scripting interpreters from the AJ-Report application context.
- Outbound network connections from the AJ-Report server to unfamiliar external hosts shortly after dataset validation requests.
- Anomalous serialized payload markers in HTTP request bodies, including the aced 0005 magic bytes indicative of Java serialization.
Detection Strategies
- Inspect web access logs for requests targeting DataSetParamController endpoints with binary or base64-encoded request bodies.
- Monitor the Java Virtual Machine for class-loading events involving known deserialization gadget libraries such as Commons Collections, Spring AOP, or ROME.
- Apply web application firewall rules that detect Java serialization magic bytes in unexpected request fields.
Monitoring Recommendations
- Enable verbose application logging for the AJ-Report dataset parameter module and forward events to a centralized SIEM.
- Alert on process lineage where the AJ-Report Java process spawns operating system commands.
- Track authentication anomalies on low-privileged AJ-Report accounts that could serve as a pivot for exploitation.
How to Mitigate CVE-2024-5352
Immediate Actions Required
- Restrict network access to AJ-Report instances by placing them behind authenticated reverse proxies or VPNs.
- Audit all AJ-Report user accounts and remove unused or default low-privilege accounts that could be abused.
- Review web server and application logs for prior exploitation attempts targeting the verification endpoint.
- Upgrade AJ-Report to a release later than 1.4.1 once the vendor publishes a fixed version.
Patch Information
As of the last NVD update on 2025-03-01, no vendor advisory URL is listed in the NVD record. Track fixes through the GitHub Issue Tracker and the VulDB entry #266264. Apply the patched release as soon as it is published by the maintainers.
Workarounds
- Deploy a web application firewall rule that blocks Java serialization magic bytes (0xAC 0xED 0x00 0x05) in HTTP request bodies destined for AJ-Report.
- Remove or replace classpath libraries containing known deserialization gadgets where operationally feasible.
- Run the AJ-Report process under a least-privileged service account with no shell access to limit post-exploitation impact.
- Segment the AJ-Report server from sensitive internal networks to contain potential compromise.
# Example WAF rule snippet (ModSecurity) blocking Java serialized payloads
SecRule REQUEST_BODY "@contains \\xac\\xed\\x00\\x05" \
"id:1005352,phase:2,deny,status:403,log,\
msg:'Java serialized object detected in request body - CVE-2024-5352'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
