CVE-2022-45208 – SQL Injection Vulnerability in Jeecg-Boot v3.4.3 Via Component /sys/user/putRecycleBin

A SQL Injection vulnerability (CVE-2022-45208) has been discovered in the open-source Java-based Rapid Development Platform, Jeecg-boot version 3.4.3. This vulnerability is particularly alarming since attackers can exploit it to modify and extract sensitive data from the system, compromising the confidentiality and integrity of the affected application. This blog post aims to provide detailed information about the CVE-2022-45208 vulnerability, including code snippets, original references, and exploit details.

Details

The vulnerability was found in the component /sys/user/putRecycleBin, which is responsible for handling user-related operations in Jeecg-Boot. As the name suggests, this component is primarily used for placing user profiles into a 'Recycle Bin' state. When an attacker sends a specially crafted request containing malicious SQL payloads to the vulnerable component, they can perform unrestricted SQL operations on the target database, bypassing standard application-level security checks.

A vulnerable code snippet in the /sys/user/putRecycleBin component looks like the following

@RequestMapping(value = "/putRecycleBin", method = RequestMethod.DELETE)
public Result<?> putRecycleBin(@RequestParam(name = "id", required = true) String id) {
    sysUserService.updateByUserState(id, "1");
    return Result.ok("已移动至回收站!");
}

The primary issue within this code snippet is the missing input validation, which causes the id parameter to be passed directly as part of the SQL query, allowing attackers to manipulate the query structure and inject malicious payloads.

Exploit Details

An attacker can take advantage of this vulnerability by sending a crafted request to the affected endpoint, such as:

DELETE /sys/user/putRecycleBin?id=1' OR 1=1 --+
Host: [target_host]
...

Here, replacing the 'id' parameter with a standard SQL Injection payload (e.g., 1' OR 1=1 --+) allows the attacker to bypass security checks and execute arbitrary SQL queries on the target database.

To mitigate this vulnerability, proper input validation or parameterized queries should be implemented. A potential solution would be to switch to PreparedStatements, as shown below:

public void updateByUserState(String id, String state) {
    String query = "UPDATE sys_user SET del_flag=? WHERE id=?";
    try (PreparedStatement preparedStatement = connection.prepareStatement(query)) {
        preparedStatement.setString(1, state);
        preparedStatement.setString(2, id);
        preparedStatement.executeUpdate();
    } catch (SQLException e) {
        // Handle the exception
    }
}

1. Jeecg-Boot repository on GitHub – https://github.com/zhangdaiscott/jeecg-boot
2. CVE-2022-45208 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45208

Conclusion

The CVE-2022-45208 vulnerability highlights the importance of secure coding practices and proper input validation in web applications. By understanding and fixing vulnerable implementations, developers can better protect their applications and users from potential security risks, helping maintain the confidentiality and integrity of data.

Please ensure you update your Jeecg-Boot installation to the latest version to protect your application from this vulnerability.

Timeline

Published on: 11/25/2022 17:15:00 UTC
Last modified on: 11/28/2022 19:41:00 UTC