CRITICAL🇵🇱 Wersja polska

CVE-2023-41543

CVSS 9.8v3.1pub. 2023-12-30upd. 2024-11-21

SQL injection vulnerability in jeecg-boot v3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the component /sys/replicate/check.

🤖 AI Analysis
How it works

The vulnerability (CWE-89) results from insufficient validation and sanitization of input data passed to SQL queries in the /sys/replicate/check endpoint. An attacker can inject malicious SQL code without needing to have any privileges or user interaction. The attack vector is network-based and the attack requires no special preconditions (AC:L, PR:N, UI:N), making it particularly easy to perform.

Impact

An attacker can gain access to sensitive information stored in the database and escalate their privileges in the application. The vulnerability is rated as critical with full impact on confidentiality, integrity and availability of the system (C:H/I:H/A:H).

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. As an interim measure, consider restricting network access to the /sys/replicate/check endpoint and implementing WAF rules blocking SQL injection attempts.

Who is affected

Jeecg Boot version 3.5.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jeecg Boot

    APP
    Jeecg
    ≤ 3.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SQLiLPE
CWE
References

Related vulnerabilities

CVE-2024-40489CRITICAL9.8PL ✓ten sam produkt

Injection/RCE w Jeecg Boot 3.0.0–3.5.3 przez niedostateczne filtrowanie znaków

CVE-2024-43028CRITICAL9.8PL ✓ten sam produkt

Command injection w Jeecg Boot — zdalne wykonanie kodu przez /jmreport/show

CVE-2024-48307CRITICAL9.8PL ✓ten sam produkt

SQL Injection w JeecgBoot przez endpoint getTotalData

CVE-2023-41544CRITICAL9.8PL ✓ten sam produkt

RCE poprzez SSTI injection w Jeecg Boot — komponent /jmreport/loadTableData

CVE-2023-41542CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych