CVE-2024-33117 – CVE-2024-33117 is a Server-Side Request Forgery... (How to Fix)

Q: What is the severity of CVE-2024-33117?

CVE-2024-33117 has a CVSS score of 5.3 (MEDIUM). CVE-2024-33117 is a Server-Side Request Forgery (SSRF) vulnerability in crmeb_java v1.3.4 that allows attackers to make the server send unauthorized requests to internal systems. This affects any deployment of crmeb_java v1.3.4 with the vulnerable ImageMergeController class accessible.

📋 TL;DR

CVE-2024-33117 is a Server-Side Request Forgery (SSRF) vulnerability in crmeb_java v1.3.4 that allows attackers to make the server send unauthorized requests to internal systems. This affects any deployment of crmeb_java v1.3.4 with the vulnerable ImageMergeController class accessible.

💻 Affected Systems

Products:

crmeb_java

Versions: v1.3.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where the ImageMergeController endpoint is accessible.

📦 What is this software?

Crmeb Java by Crmeb

View all CVEs affecting Crmeb Java →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access internal services, exfiltrate sensitive data, or pivot to attack other internal systems from the vulnerable server.

🟠

Likely Case

Information disclosure from internal services, potential internal network scanning, or limited data exfiltration.

🟢

If Mitigated

Limited impact if network segmentation restricts the vulnerable server's access to sensitive internal resources.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SSRF vulnerabilities are commonly exploited and public details exist in the references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: Yes

Instructions:

1. Check for updated version from vendor. 2. If available, update to patched version. 3. Restart application server.

🔧 Temporary Workarounds

Input Validation and Whitelisting

all

Implement strict input validation for URL parameters and whitelist allowed domains

Modify ImageMergeController.java to validate and sanitize input URLs

Network Segmentation

all

Restrict outbound network access from the vulnerable server

Configure firewall rules to block outbound HTTP/HTTPS from application server except to required services

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block SSRF patterns
Disable or restrict access to the ImageMergeController endpoint

🔍 How to Verify

Check if Vulnerable:

Check if running crmeb_java v1.3.4 and if /api/mergeList endpoint is accessible

Check Version:

Check application configuration files or deployment manifests for version information

Verify Fix Applied:

Test SSRF attempts against the mergeList endpoint to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from application server
Requests to internal IP addresses from application
Multiple failed connection attempts to internal services

Network Indicators:

Application server making unexpected HTTP requests to internal networks
Traffic to unusual ports from application server

SIEM Query:

source_ip=application_server AND dest_ip=internal_subnet AND protocol=HTTP

📊 Metadata

CVE ID: CVE-2024-33117

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-918

Published: May 6, 2024

Last Updated: June 11, 2025

🔗 References

https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/33117.txt Third Party Advisory
https://github.com/cxcxcxcxcxcxcxc/cxcxcxcxcxcxcxc/blob/main/cxcxcxcxcxc/about-2024/33117.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33117, you might also want to check these: