CVE-2024-5353 Overview
CVE-2024-5353 is a path traversal vulnerability in anji-plus AJ-Report up to version 1.4.1. The flaw resides in the decompress function of the ZIP File Handler component. Attackers can manipulate file paths inside crafted ZIP archives to write or access files outside the intended extraction directory. The vulnerability is exploitable remotely and requires only low-privileged authentication. The exploit details have been disclosed publicly under VulDB identifier VDB-266265. AJ-Report is an open-source data visualization and reporting platform, making this a relevant concern for organizations using it for business intelligence dashboards.
Critical Impact
Remote authenticated attackers can traverse directories via malicious ZIP archives to read or overwrite files on the host, potentially compromising application integrity.
Affected Products
- anji-plus AJ-Report versions up to and including 1.4.1
- ZIP File Handler component (decompress function)
- Deployments exposing AJ-Report endpoints to untrusted users
Discovery Timeline
- 2024-05-26 - CVE-2024-5353 published to NVD
- 2025-03-01 - Last updated in NVD database
Technical Details for CVE-2024-5353
Vulnerability Analysis
The vulnerability is categorized as path traversal under CWE-22. AJ-Report accepts ZIP archives for processing through its file handler. The decompress function fails to validate entry names within the archive before writing files to disk. Attackers can craft ZIP entries containing ../ sequences that escape the target extraction directory. This is the classic Zip Slip pattern, where archive entry names are concatenated with a base path without canonicalization. Successful exploitation can result in writing files to arbitrary locations or reading unintended files, depending on how the decompressed output is consumed.
Root Cause
The root cause is missing input sanitization on ZIP entry filenames inside the decompress routine. The code does not verify that the resolved output path remains within the intended extraction directory. Standard mitigations such as resolving the canonical path and rejecting entries that resolve outside the destination are absent.
Attack Vector
The attack vector is network-based and requires low privileges. An authenticated user uploads or supplies a malicious ZIP archive to a feature that invokes the vulnerable decompress function. Entries with traversal sequences such as ../../etc/config cause file operations to land outside the intended directory. Public disclosure of the exploit increases the likelihood of opportunistic use against exposed instances. See the GitHub report document and the GitHub issue discussion for technical details.
Detection Methods for CVE-2024-5353
Indicators of Compromise
- ZIP archives uploaded to AJ-Report containing entry names with ../ or absolute path prefixes
- Unexpected files appearing outside the AJ-Report extraction working directory
- Modification timestamps on configuration or web-accessible files coinciding with report uploads
- Application logs showing decompression activity followed by file access errors in unrelated directories
Detection Strategies
- Inspect AJ-Report upload logs and parse incoming ZIP files for entries containing traversal sequences or absolute paths
- Monitor the AJ-Report process for file write operations outside its designated working directory using file integrity monitoring
- Correlate authenticated user sessions with ZIP upload events and subsequent anomalous file system activity
Monitoring Recommendations
- Enable verbose application logging for all archive extraction operations
- Deploy file integrity monitoring on directories adjacent to the AJ-Report install path
- Alert on creation of executable or configuration files within web-accessible directories under the AJ-Report deployment
How to Mitigate CVE-2024-5353
Immediate Actions Required
- Restrict access to AJ-Report to trusted internal networks until a fixed version is deployed
- Disable or limit ZIP upload functionality for low-privileged accounts
- Review existing user accounts and remove unnecessary access to report import features
- Audit the AJ-Report installation directory and adjacent paths for unexpected files
Patch Information
At the time of NVD publication, no vendor-supplied patch was referenced in the CVE record. Monitor the anji-plus report repository for fixes addressing the decompress function. Upgrade to any release beyond 1.4.1 that explicitly addresses path traversal in the ZIP File Handler.
Workarounds
- Place AJ-Report behind a reverse proxy with strict authentication and IP allowlisting
- Run the AJ-Report process under a least-privileged service account to limit file write scope
- Implement web application firewall rules to inspect uploaded archives and block entries containing traversal sequences
- Periodically validate the integrity of the AJ-Report deployment directory against a known-good baseline
# Example: scan an uploaded ZIP for traversal entries before processing
unzip -l /path/to/uploaded.zip | awk '{print $4}' | grep -E '(^/|\.\./)' && echo "BLOCK: traversal entries detected"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
