CVE-2024-5355 Overview
CVE-2024-5355 is a command injection vulnerability in anji-plus AJ-Report up to version 1.4.1. The flaw resides in the IGroovyHandler function, which improperly processes attacker-supplied input. Remote attackers with low privileges can manipulate this function to inject arbitrary operating system commands [CWE-77]. AJ-Report is an open-source data visualization and reporting platform widely used for business intelligence dashboards. The exploit details have been disclosed publicly through VulDB entry VDB-266267 and the project's GitHub repository, increasing the risk of opportunistic attacks against exposed instances.
Critical Impact
Authenticated remote attackers can execute arbitrary commands on the host running AJ-Report through the IGroovyHandler function, leading to limited confidentiality, integrity, and availability impact on the application.
Affected Products
- anji-plus AJ-Report versions up to and including 1.4.1
- Deployments exposing the IGroovyHandler endpoint to untrusted networks
- Self-hosted AJ-Report instances integrated with downstream reporting workflows
Discovery Timeline
- 2024-05-26 - CVE-2024-5355 published to NVD
- 2025-03-01 - Last updated in NVD database
Technical Details for CVE-2024-5355
Vulnerability Analysis
The vulnerability stems from unsafe handling of user-controlled input within the IGroovyHandler function in AJ-Report. The handler processes Groovy expressions used for dynamic report scripting. Because input is not properly validated or sandboxed, attackers can supply payloads that the Groovy runtime evaluates as operating system commands. The result is command injection executed in the context of the AJ-Report service account.
Exploitation requires network access and low-level privileges, but no user interaction. Public disclosure of exploit details via VulDB (VDB-266267) increases the likelihood of automated scanning and weaponization against internet-facing deployments.
Root Cause
The root cause is missing input sanitization in the IGroovyHandler function. AJ-Report uses Groovy as a scripting backend for report logic, and attacker-supplied expressions reach the interpreter without filtering of dangerous APIs such as Runtime.exec or ProcessBuilder. This allows arbitrary command execution through what is intended to be a constrained scripting feature [CWE-77].
Attack Vector
The attack vector is network-based. An authenticated attacker sends a crafted HTTP request containing a malicious Groovy payload to the AJ-Report endpoint that dispatches to IGroovyHandler. The Groovy runtime evaluates the payload and executes injected shell commands on the server. Successful exploitation can lead to data exfiltration, lateral movement, or service disruption, depending on the privileges of the AJ-Report process.
No verified proof-of-concept code is published in the enriched data. Refer to the GitHub Issue #34 and the GitHub Report Document for technical details disclosed by the reporters.
Detection Methods for CVE-2024-5355
Indicators of Compromise
- Unexpected child processes spawned by the AJ-Report Java process, such as sh, bash, cmd.exe, or powershell.exe
- HTTP requests to AJ-Report endpoints containing Groovy keywords like Runtime.getRuntime, ProcessBuilder, or execute()
- Outbound network connections from the AJ-Report host to unfamiliar IP addresses shortly after report execution
- Anomalous writes to temporary directories or web-accessible paths by the AJ-Report service account
Detection Strategies
- Inspect web access logs for POST requests targeting Groovy-related handlers with suspicious payload contents
- Correlate process creation telemetry on the AJ-Report host with parent-child relationships originating from the Java runtime
- Apply Web Application Firewall (WAF) signatures that flag Groovy meta-programming patterns in HTTP request bodies
Monitoring Recommendations
- Enable verbose audit logging for AJ-Report and forward logs to a centralized SIEM for retention and correlation
- Monitor file integrity for AJ-Report configuration files, plugin directories, and reporting templates
- Alert on outbound traffic from the AJ-Report server to non-business destinations, particularly to known malware hosting infrastructure
How to Mitigate CVE-2024-5355
Immediate Actions Required
- Restrict network access to AJ-Report management endpoints using firewall rules or reverse-proxy allowlists
- Audit existing user accounts and revoke unnecessary privileges that could enable authenticated exploitation
- Review recent report executions and server logs for evidence of IGroovyHandler abuse
- Isolate AJ-Report deployments from sensitive internal systems until a patched version is deployed
Patch Information
The enriched data does not list a confirmed fixed version. Track the upstream project at GitHub Issue #34 and the VulDB advisory for remediation guidance. Upgrade to the latest available release of AJ-Report once the vendor publishes a security update addressing IGroovyHandler.
Workarounds
- Disable or remove Groovy scripting features in AJ-Report if they are not required for business operations
- Place AJ-Report behind a WAF configured to block Groovy injection patterns and known command injection payloads
- Run the AJ-Report service under a least-privileged operating system account to limit blast radius from successful exploitation
- Enforce strong authentication and remove default or shared credentials on all AJ-Report user accounts
# Example: restrict AJ-Report to internal networks using iptables
iptables -A INPUT -p tcp --dport 9095 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 9095 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
