CVE-2024-24024 is an arbitrary file download vulnerability identified in Novel-Plus version 4.3.0-RC1 and earlier, located in the com.java2nb.common.controller.FileController class, specifically within the fileDownload() method. The vulnerability arises because the application improperly validates or sanitizes the filePath and fileName parameters passed by users, allowing attackers to craft requests that retrieve arbitrary files from the server's filesystem. This type of vulnerability is categorized under CWE-434 (Unrestricted Upload of File with Dangerous Type) but here manifests as an arbitrary file download, which can lead to unauthorized disclosure of sensitive files such as configuration files, credentials, or source code. The CVSS v3.1 base score is 9.8, reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality, integrity, and availability to a high degree (C:H/I:H/A:H). The vulnerability is exploitable remotely without authentication, making it highly dangerous. Although no known exploits are publicly documented yet, the critical severity and ease of exploitation make it a prime target for attackers. The lack of available patches at the time of publication increases the urgency for mitigation. The vulnerability could be leveraged to exfiltrate sensitive data, facilitate further attacks such as remote code execution if combined with other flaws, or disrupt services by accessing critical system files.

The impact of CVE-2024-24024 is severe for organizations using Novel-Plus, as it allows attackers to download arbitrary files from the server without authentication. This can lead to the exposure of sensitive information including credentials, internal configurations, or proprietary data, compromising confidentiality. Integrity may be indirectly affected if attackers use the information to modify or manipulate system components. Availability could also be impacted if critical system files are exposed or deleted following exploitation. The vulnerability's remote and unauthenticated nature means attackers can exploit it at scale, potentially affecting many organizations globally. This could result in data breaches, regulatory penalties, loss of customer trust, and operational disruptions. Organizations in sectors handling sensitive data, such as finance, healthcare, and government, face heightened risks. Additionally, attackers might chain this vulnerability with others to achieve full system compromise or lateral movement within networks.

To mitigate CVE-2024-24024, organizations should immediately restrict access to the fileDownload() endpoint, ideally limiting it to trusted internal networks or authenticated users until a patch is available. Implement strict input validation and sanitization on filePath and fileName parameters to prevent directory traversal or unauthorized file access. Employ allowlisting of permissible file paths and names to ensure only intended files can be downloaded. Monitor web server and application logs for unusual file download requests or patterns indicative of exploitation attempts. If possible, deploy web application firewalls (WAFs) with rules targeting arbitrary file download attempts. Regularly back up critical data and ensure incident response plans are updated to handle potential data breaches. Engage with the vendor or community for patches or updates and apply them promptly once released. Conduct security assessments and penetration tests focusing on file handling functionalities to identify similar weaknesses.