CVE-2024-50919
📋 TL;DR
CVE-2024-50919 is a critical vulnerability in Jpress CMS that allows attackers to upload arbitrary files, including malicious JSP files, leading to remote code execution. This affects all Jpress installations on Windows platforms. Organizations using Jpress for content management are at risk of complete system compromise.
💻 Affected Systems
- Jpress CMS
📦 What is this software?
Jpress by Jpress
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with administrative privileges, data exfiltration, ransomware deployment, and lateral movement across the network.
Likely Case
Webshell deployment leading to persistent backdoor access, data theft, and further exploitation of the server environment.
If Mitigated
Limited impact with proper file upload restrictions and web application firewalls blocking malicious payloads.
🎯 Exploit Status
Public proof-of-concept demonstrates file upload to RCE chain. Exploitation requires no authentication and uses simple HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v5.1.2 or later
Vendor Advisory: https://github.com/JPressProjects/jpress
Restart Required: Yes
Instructions:
1. Backup current Jpress installation and database. 2. Download latest Jpress version from official GitHub repository. 3. Replace all files with new version. 4. Restart web server and application services. 5. Verify functionality.
🔧 Temporary Workarounds
File Upload Restriction
allImplement strict file upload validation to block JSP and other executable file types
Configure web server to reject .jsp, .jspx, .war file uploads
Web Application Firewall Rules
allDeploy WAF rules to detect and block malicious file upload attempts
Add rules to block requests containing 'Content-Disposition: form-data' with .jsp extensions
🧯 If You Can't Patch
- Isolate Jpress instance in network segment with strict outbound filtering
- Implement application-level file type validation and sanitize all uploads
🔍 How to Verify
Check if Vulnerable:
Check Jpress version in admin panel or via version.txt file. If version is 5.1.1 or earlier on Windows, system is vulnerable.Check Version:
Check Jpress admin dashboard or inspect WEB-INF/classes/version.properties fileVerify Fix Applied:
After patching, attempt to upload a test JSP file. If upload is rejected with proper error, fix is working.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to upload endpoints with .jsp files
- Unusual file creation in web directories
- Java process spawning from web user
Network Indicators:
- Outbound connections from web server to unknown IPs
- Large data exfiltration from web server
SIEM Query:
source="web_server" AND (url="*upload*" AND file_extension=".jsp") OR process_name="cmd.exe" AND parent_process="java.exe"