Login Sign Up

CVE-2023-50090

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to write arbitrary files to the server through a crafted POST request to the saveReportFile method in ureport2. Successful exploitation could lead to remote code execution, affecting all systems running ureport2 version 2.2.9 and earlier.

💻 Affected Systems

Products:
  • ureport2
Versions: 2.2.9 and earlier
Operating Systems: All platforms running Java
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with the vulnerable saveReportFile method accessible via HTTP are affected.

📦 What is this software?

Ureport2 by Ureport2 Project

View all CVEs affecting Ureport2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining remote code execution, data theft, and persistent backdoor installation.

🟠

Likely Case

Arbitrary file write leading to web shell deployment and subsequent command execution.

🟢

If Mitigated

File write limited to web-accessible directories without execution privileges.

🌐 Internet-Facing: HIGH - Exploitable via HTTP POST requests without authentication.
🏢 Internal Only: HIGH - Same exploit mechanism works on internal networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in referenced advisories showing simple POST request exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.10 or later

Vendor Advisory: https://github.com/advisories/GHSA-445x-c8qq-qfr9

Restart Required: Yes

Instructions:

1. Download ureport2 version 2.2.10 or later from official repository. 2. Replace existing ureport2 JAR files with patched version. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement web application firewall or filter to block malicious POST requests to saveReportFile endpoint.

# Configure WAF rule to block POST requests containing file path traversal patterns
# Example ModSecurity rule: SecRule ARGS "\.\./" "id:1001,phase:2,deny"

Access Restriction

all

Restrict access to ureport2 endpoints using network controls or authentication.

# Apache .htaccess example: Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Nginx location block: location /ureport2/ { deny all; }

🧯 If You Can't Patch

  • Isolate ureport2 instance behind strict network segmentation with no internet access.
  • Implement application-level input validation to sanitize file path parameters in POST requests.

🔍 How to Verify

Check if Vulnerable:

Check ureport2 version in application configuration or JAR file metadata. If version ≤2.2.9, system is vulnerable.

Check Version:

java -jar ureport2-core-*.jar --version OR check MANIFEST.MF in JAR file

Verify Fix Applied:

Confirm ureport2 version is 2.2.10 or later and test that crafted POST requests to saveReportFile endpoint are rejected.

📡 Detection & Monitoring

Log Indicators:

  • POST requests to /ureport2/saveReportFile with unusual file paths
  • File write operations to unexpected locations
  • Web shell creation in web directories

Network Indicators:

  • HTTP POST requests with path traversal sequences (../) to ureport2 endpoints
  • Unusual outbound connections from ureport2 server

SIEM Query:

source="web_logs" AND uri="/ureport2/saveReportFile" AND (method="POST" AND (body CONTAINS "../" OR body CONTAINS "/etc/" OR body CONTAINS "/tmp/"))

📊 Metadata

CVE ID: CVE-2023-50090
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: January 3, 2024
Last Updated: June 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON