A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request.
The vulnerability is located in the /jmreport/show endpoint accessible over the network. An attacker can send a crafted HTTP request containing a malicious payload that is passed to the system command interpreter without proper validation or sanitization of input data (CWE-77 — improper neutralization of special elements used in a command). As a result, arbitrary system commands are executed with the privileges of the application process.
An attacker without any authentication can remotely execute arbitrary code on the server, leading to complete system takeover, data breach, and the ability to disrupt application functionality.
Apply patches available from the vendor according to the references. Urgent update to a version newer than v3.5.3 is recommended, and until the update is applied, restrict access to the /jmreport/show endpoint at the firewall or reverse proxy level, especially for unauthenticated users.
Jeecg Boot versions from v3.0.0 to v3.5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HJeecg Boot
APPJeecg3.0 – 3.5.3
Related vulnerabilities
Injection/RCE w Jeecg Boot 3.0.0–3.5.3 przez niedostateczne filtrowanie znaków
SQL Injection w JeecgBoot przez endpoint getTotalData
SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych
SQL Injection w Jeecg Boot — eskalacja uprawnień i wyciek danych
RCE poprzez SSTI injection w Jeecg Boot — komponent /jmreport/loadTableData