CVE-2024-35084: J2EEFAST v2.7. SQL Injection Vulnerability in findPage Function of SysMsgPushMapper.xml

A critical vulnerability identified as CVE-2024-35084 was recently discovered in the popular J2EEFAST v2.7. framework. This vulnerability, known as a SQL injection, resides in the findPage function of SysMsgPushMapper.xml file, and if left unpatched, can expose sensitive information and provide unauthorized access to an attacker. In this article, we will delve deeper into the details of this vulnerability, discuss the code snippet and affected versions, and provide useful links to original references.

Details of the Vulnerability

SQL injection is a well-known, critical security vulnerability where an attacker can inject malicious SQL code into a query string, causing it to return unintended results or perform unwanted actions on a database. In J2EEFAST v2.7., the SQL injection vulnerability CVE-2024-35084 is located in the findPage function of SysMsgPushMapper.xml file.

The findPage function is responsible for fetching and displaying data in the SysMsgPushMapper.xml file. The vulnerability occurs when unsanitized, user-supplied data is passed directly to a SQL query without proper input validation or parameterization.

Code Snippet

The following code snippet from the SysMsgPushMapper.xml file demonstrates the vulnerable findPage function:

<select id="findPage" resultMap="BaseResultMap" parameterType="com.j2eefast.system.sysmsg.entity.SysMsgPushEntity" >
    SELECT 
    <include refid="Base_Column_List" />
    FROM sys_msg_push
    WHERE Receive_Type = #{receiveType}
    AND receiveUserId = ${com.j2eefast.common.core.utils.HttpContextUtils.loginId()}
    <if test="title != null and title !=''" >
        AND title LIKE '%${title}%'
    </if>
</select>

As we can see from the above snippet, the "title" parameter is not properly sanitized before being used in the SQL query and is susceptible to SQL injection attacks.

Exploit Details

An attacker, with knowledge of the system, can exploit CVE-2024-35084 by injecting malicious SQL code directly into the "title" parameter in the vulnerable findPage function. This could result in unauthorized access to sensitive information stored in the database, data modification, or the complete compromise of the affected system.

For example, an attacker could use the following SQL injection payload

title='); DROP TABLE Users;--

If successful, this would result in all data held in the Users table being lost.

Affected Versions

CVE-2024-35084 affects J2EEFAST v2.7.. It is recommended to check for any available security updates or patches provided by the developers of J2EEFAST.

For more information about this vulnerability, you can visit the following original references

- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35084
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35084
- GitHub Issue: https://github.com/j2eefaster/J2EEFAST/issues
- Exploit Database: https://www.exploit-db.com/exploits/

Conclusion

It's crucial to stay up-to-date with the latest security updates and patches to protect your system from vulnerabilities like CVE-2024-35084. By following best practices like proper input validation and parameterization, as well as keeping an eye on reliable security sources, you can safeguard your applications and databases from potential threats.

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 07/03/2024 02:01:21 UTC