CRITICAL🇵🇱 Wersja polska

CVE-2023-41544

CVSS 9.8v3.1pub. 2023-12-30upd. 2024-11-21

SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to execute arbitrary code via crafted HTTP request to the /jmreport/loadTableData component.

🤖 AI Analysis
How it works

The attacker sends a crafted HTTP request to the /jmreport/loadTableData endpoint, injecting malicious payload into the server-side template being processed. The template engine interprets the passed data as code and executes it in the server context. This mechanism corresponds to the CWE-94 classification (Improper Control of Generation of Code), where user input is improperly neutralized before being passed to the template interpreter.

Impact

An attacker can remotely execute arbitrary code on the server (RCE) without any authentication, potentially leading to complete system takeover, data theft, and compromise of service integrity and availability.

Mitigation & patch

Apply patches available from the vendor according to the references. Additionally, it is recommended to restrict network access to the /jmreport/loadTableData endpoint only to trusted sources if immediate patching is not possible.

Who is affected

Jeecg Boot version 3.5.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Jeecg Boot

    APP
    Jeecg
    ≤ 3.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2024-40489CRITICAL9.8PL ✓ten sam produkt

Injection/RCE w Jeecg Boot 3.0.0–3.5.3 przez niedostateczne filtrowanie znaków

CVE-2024-43028CRITICAL9.8PL ✓ten sam produkt

Command injection w Jeecg Boot — zdalne wykonanie kodu przez /jmreport/show

CVE-2024-48307CRITICAL9.8PL ✓ten sam produkt

SQL Injection w JeecgBoot przez endpoint getTotalData

CVE-2023-41543CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych

CVE-2023-41542CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych