Primary

Context

JeeWMS Permission Bypass Vulnerability in AuthInterceptor Component

Vulnerability

A permission bypass vulnerability has been identified in JeeWMS versions prior to 2025.01.01. The issue resides in the AuthInterceptor component, where the logic improperly validates request paths against an exclusion list. This flaw allows unauthorized access to sensitive data by circumventing backend verification.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data by bypassing authentication requirements.

Reproduction

To reproduce this vulnerability, access a route that requires authentication. The server will respond with a 302 redirect to the login page, indicating that permission verification is in place. However, by appending a crafted request path that includes sensitive data query parameters, it is possible to bypass the authentication check and access backend interfaces without logging in.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JeeWMS Permission Bypass Vulnerability in AuthInterceptor Component

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating