Login Sign Up

CVE-2024-43033

8.8 HIGH
Remote Code Execution

📋 TL;DR

JPress versions through 5.1.1 on Windows have an arbitrary file upload vulnerability that allows attackers to upload malicious files (like .jsp::$DATA) to execute arbitrary code on the server. This affects all JPress installations on Windows that haven't been patched, potentially leading to complete system compromise.

💻 Affected Systems

Products:
  • JPress
Versions: through 5.1.1
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows systems due to the ::$DATA stream vulnerability. Linux/macOS systems are not vulnerable to this specific attack vector.

📦 What is this software?

Jpress by Jpress

View all CVEs affecting Jpress →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with remote code execution, data theft, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Webshell deployment leading to data exfiltration, defacement, or cryptocurrency mining.

🟢

If Mitigated

File upload blocked or sanitized, preventing malicious file execution.

🌐 Internet-Facing: HIGH - Web applications are typically internet-facing, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal systems could still be targeted via phishing or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires file upload access to AttachmentController. Public PoC exists in GitHub references. The ::$DATA technique is well-known for Windows file upload bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.2 or later

Vendor Advisory: https://github.com/JPressProjects/jpress/issues/188

Restart Required: Yes

Instructions:

1. Update JPress to version 5.1.2 or later. 2. Restart the JPress application server. 3. Verify the patch by testing file upload functionality.

🔧 Temporary Workarounds

Disable file upload functionality

all

Temporarily disable the AttachmentController upload endpoint until patching is complete.

Modify web.xml or application configuration to restrict access to /attachment/upload endpoints

Implement file upload filtering

windows

Add server-side validation to reject files containing ::$DATA or other Windows stream indicators.

Add input validation in AttachmentController to check for and reject filenames containing '::$DATA'

🧯 If You Can't Patch

  • Implement WAF rules to block requests containing '::$DATA' in filenames or parameters
  • Restrict file upload permissions to trusted users only and monitor upload activity

🔍 How to Verify

Check if Vulnerable:

Check if running JPress ≤5.1.1 on Windows and test uploading a file with '::$DATA' appended to the filename.

Check Version:

Check JPress version in admin panel or application.properties file for 'jpress.version' property.

Verify Fix Applied:

After updating to ≥5.1.2, attempt to upload a test file with '::$DATA' suffix - it should be rejected.

📡 Detection & Monitoring

Log Indicators:

  • File upload requests containing '::$DATA' in filenames
  • Unexpected .jsp or executable file uploads to attachment directories

Network Indicators:

  • POST requests to /attachment/upload with suspicious filenames
  • Unusual outbound connections from JPress server after file uploads

SIEM Query:

source="jpress.log" AND ("::$DATA" OR ".jsp" AND "upload")

📊 Metadata

CVE ID: CVE-2024-43033
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-69
Published: August 22, 2024
Last Updated: June 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43033, you might also want to check these:

CVE-2025-3941 5.4

This vulnerability allows attackers to manipulate input data through improper handling of Windows ::...

Same vulnerability type (CWE-69)