SQL Injection vulnerability in RuoYi v.4.7.9 and before allows a remote attacker to execute arbitrary code via the createTable function in SqlUtil.java.
The vulnerability results from insufficient validation and sanitization of input data passed to the createTable function in SqlUtil.java, allowing malicious SQL code injection. An attacker can send a specially crafted network request without the need for authentication. Successful injection enables execution of arbitrary commands at the database level, and consequently also code execution on the server (RCE).
An attacker can gain full control over the system — read, modify or delete data in the database, as well as execute arbitrary code on the server (RCE), which may lead to complete system takeover.
A patch available in the vendor's repository should be applied (commit ddd858ca732618a472b10eaab2f8e4b45812ffc5 in the Gitee repository). It is recommended to update to the patched version as soon as possible and restrict network access to the RuoYi admin panel.
RuoYi v.4.7.9 and all earlier versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HRuoyi
APPRuoyi≤ 4.7.9
Related vulnerabilities
RuoYi v4.8.2 — nieprawidłowa kontrola dostępu w funkcji aktualizacji
Eskalacja uprawnień w RuoYi v.4.8.0 poprzez parametr jobLogId
RuoYi 4.8.0 – privilege escalation przez metodę changeStatus
Eskalacja uprawnień przez parametr jobId w RuoYi v.4.8.0
RuoYi 4.8.0 — privilege escalation przez brak walidacji parametru deptId