Skip to main content

CVE-2024-24001: n/a in n/a

Critical
VulnerabilityCVE-2024-24001cvecve-2024-24001
Published: Tue Feb 06 2024 (02/06/2024, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

jshERP v3.3 is vulnerable to SQL Injection. via the com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findallocationDetail() function of jshERP which allows an attacker to construct malicious payload to bypass jshERP's protection mechanism.

AI-Powered Analysis

AILast updated: 07/06/2025, 08:24:33 UTC

Technical Analysis

CVE-2024-24001 is a critical SQL Injection vulnerability identified in the jshERP software, specifically version 3.3. The vulnerability resides in the findallocationDetail() function within the com.jsh.erp.controller.DepotHeadController class. This function improperly sanitizes user input, allowing an attacker to craft malicious SQL payloads that bypass the application's protection mechanisms. As a result, the attacker can execute arbitrary SQL commands on the backend database without any authentication or user interaction required. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which is a common and dangerous injection flaw. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impacts on confidentiality, integrity, and availability. Exploitation could lead to unauthorized data disclosure, modification, or deletion, and potentially full system compromise depending on database privileges. Although no known exploits are currently reported in the wild, the critical nature and ease of exploitation make this a significant threat to any organization using jshERP v3.3. No patch links are currently available, indicating that mitigation or vendor fixes may still be pending.

Potential Impact

For European organizations using jshERP v3.3, this vulnerability poses a severe risk to their enterprise resource planning (ERP) systems, which typically manage sensitive business data including financials, inventory, and personnel information. Exploitation could lead to large-scale data breaches exposing confidential customer and business data, resulting in regulatory non-compliance under GDPR and substantial financial penalties. The integrity of business operations could be compromised by unauthorized data manipulation, potentially disrupting supply chains and financial reporting. Availability impacts could cause operational downtime, affecting business continuity. Given the criticality and ease of exploitation without authentication, attackers could remotely compromise systems, increasing the risk of ransomware deployment or lateral movement within networks. The lack of a patch increases the urgency for organizations to implement compensating controls. The threat is particularly acute for sectors relying heavily on ERP systems, such as manufacturing, retail, and logistics within Europe.

Mitigation Recommendations

1. Immediate mitigation should include deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the vulnerable endpoint. 2. Conduct a thorough code review and input validation audit of the findallocationDetail() function and related database interaction code to implement proper parameterized queries or prepared statements. 3. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. 4. Monitor application logs and network traffic for unusual query patterns or access attempts to the vulnerable function. 5. If possible, isolate the jshERP system from direct internet exposure and restrict access to trusted internal networks or VPNs. 6. Engage with the vendor or community to obtain patches or updates as soon as they become available. 7. Prepare incident response plans specifically addressing SQL injection attacks, including data backup and recovery procedures. 8. Educate developers and administrators on secure coding practices to prevent similar vulnerabilities in future releases.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2024-01-25T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682cd0fa1484d88663aec370

Added to database: 5/20/2025, 6:59:06 PM

Last enriched: 7/6/2025, 8:24:33 AM

Last updated: 7/30/2025, 6:57:17 AM

Views: 8

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats