CVE-2024-48307 Scanner

JeecgBoot is a widely-used open-source rapid development platform designed for building business applications. It is commonly utilized in enterprise environments where flexibility and scalability are required in creating business management systems. JeecgBoot allows developers to quickly set up, configure, and deploy applications for a variety of sectors, including finance, retail, and logistics. The platform provides built-in tools for data management, workflow configuration, and system integration. Due to its widespread use, it is essential for organizations to maintain the security of JeecgBoot to prevent vulnerabilities that could impact their applications.

The JeecgBoot v3.7.1 application is vulnerable to SQL Injection attacks through its `getTotalData` endpoint. This vulnerability occurs when an attacker is able to inject arbitrary SQL commands into the query executed by the application. SQL Injection vulnerabilities arise due to insufficient input validation, allowing attackers to manipulate the SQL queries executed on the database. This issue is critical as it can lead to unauthorized access to sensitive data, data manipulation, and potential system compromise. The vulnerability is classified under CWE-89, SQL Injection, and has a CVSS score of 9.8, making it highly severe.

The vulnerability exists in the `getTotalData` endpoint, where user input is not properly sanitized before being used in SQL queries. This allows attackers to insert malicious SQL code into the request parameters, potentially altering the query and extracting sensitive information from the database. The vulnerable parameter is part of the request payload, specifically the `id` and `name` fields. By injecting crafted SQL commands, attackers could bypass authorization, retrieve unauthorized data, or manipulate database content. The application does not perform proper input validation or use parameterized queries, leading to the exploitation of this issue.

If exploited, the SQL Injection vulnerability could lead to serious security breaches. Attackers could gain unauthorized access to sensitive information such as user credentials, financial records, or other confidential data. This information could then be used for malicious purposes, including identity theft, fraud, or system compromise. In addition, attackers could perform database manipulation, deleting or altering critical data, leading to operational disruptions. The vulnerability poses a significant risk to the integrity, confidentiality, and availability of the application and its data.

REFERENCES

• https://github.com/wy876/POC/blob/main/JeecgBoot/JeecgBoot%E6%8E%A5%E5%8F%A3getTotalData%E5%AD%98%E5%9C%A8%E6%9C%AA%E6%8E%88%E6%9D%83SQL%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E(CVE-2024-48307).md
• https://github.com/jeecgboot/JeecgBoot/issues/7237