Primary

Context

JEEWMS Zip Slip Vulnerability in MigrateForm Component Allows Arbitrary Code Execution

Vulnerability

A zip slip vulnerability has been identified in JEEWMS version 3.7, specifically within the MigrateForm.java component. This vulnerability allows attackers to execute arbitrary code by uploading a crafted Zip file. The issue arises because the application does not properly validate the contents of the Zip file during the extraction process, enabling malicious files to be overwritten and potentially executed.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the server where JEEWMS is running.

Reproduction

To reproduce this vulnerability, upload a Zip file containing a JSP file through the 'doMigrateIn' endpoint of the 'cgformSqlController' controller. The uploaded Zip file will be extracted without proper validation, allowing the included JSP file to be executed on the server.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JEEWMS Zip Slip Vulnerability in MigrateForm Component Allows Arbitrary Code Execution

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating