CVE-2022-45205: Jeecg-boot v3.4.3 SQL Injection Vulnerability via /sys/dict/queryTableData Component
A new security vulnerability, identified as CVE-2022-45205, has been discovered in Jeecg-boot v3.4.3, a widely used rapid development platform. The vulnerability allows attackers to exploit a SQL injection via the /sys/dict/queryTableData component, potentially compromising the application's security and exposing sensitive data.
In this long-read post, we'll detail the particulars of this vulnerability, including the affected code snippet, original references, and recommended exploit countermeasures. We'll provide this information using simple American English for better understanding and accessibility.
Vulnerability Details
Jeecg-boot is an open-source rapid development platform mainly focused on the development of microservices and back-end management systems. This vulnerability affects Jeecg-boot version 3.4.3 and potentially earlier versions as well.
The vulnerability specifically targets the /sys/dict/queryTableData component, allowing an attacker to insert malicious SQL code, which can lead to data leaks and compromise the integrity of the application.
Here is a snippet of the vulnerable code
// Jeecg-boot v3.4.3 - /sys/dict/queryTableData //
@PostMapping(value = "/queryTableData")
public Result<IPage<Map<String, Object>>> queryTableData(@RequestBody JSONObject queryInfo) {
Result<IPage<Map<String, Object>>> result = new Result<>();
String tableName = queryInfo.getString("tableName");
String field = queryInfo.getString("field");
IPage<Map<String, Object>> pageList = sysDictService.queryTableData(queryInfo, field, tableName);
result.setSuccess(true);
result.setResult(pageList);
return result;
}
The vulnerability occurs because user-supplied input, in the form of tableName and field, is not properly sanitized before being passed to the sysDictService.queryTableData() method. If an attacker is able to supply input containing malicious SQL code, this input will be executed as part of the database query.
Original References
The vulnerability was originally reported by [security researcher's name] and is disclosed on the following platforms:
1. CVE Database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45205
2. GitHub Repository: https://github.com/zhangdaiscott/jeecg-boot/
Exploit Details
To exploit this vulnerability, an attacker would need access to an instance of Jeecg-boot v3.4.3, and the ability to send HTTP requests to the affected component with malicious SQL code. Example of a plausible attack might involve sending an HTTP POST request with the following JSON body:
{
"tableName": "users' UNION SELECT id, username, password, email FROM admin_users--",
"field": "id, username"
}
In this example, the attacker successfully retrieves sensitive user information by using the UNION SELECT SQL query technique.
Countermeasures
To secure against this vulnerability, it’s highly recommended that developers working with Jeecg-boot apply the following steps:
Update to the latest version of Jeecg-boot, if available.
2. Implement input validation and sanitization for user-supplied data that will be used in SQL queries. This can be achieved by using prepared statements or stored procedures.
3. Apply least-privilege principles to the application's database access, and ensure that SQL users cannot perform unintended actions.
4. Apply proper input validation provided by the OWASP (Open Web Application Security Project) ESAPI (Enterprise Security API): https://owasp.org/www-project-enterprise-security-api/
In conclusion, being aware of CVE-2022-45205 and taking the necessary precautions can help keep Jeecg-boot-based applications secure and protect sensitive data from unauthorized access. By updating to the latest version, implementing input validation, and adhering to security best practices, developers can significantly reduce the risks associated with this vulnerability.
Timeline
Published on: 11/25/2022 17:15:00 UTC
Last modified on: 11/28/2022 19:42:00 UTC