CVE-2023-24789

Vulnerability

Description

CVE-2023-24789 is an authenticated SQL injection vulnerability in the building block report component of jeecg-boot version 3.4.4. The root cause is insufficient sanitization of user-supplied input when creating a new SQL dataset within the report design feature, allowing an attacker to inject arbitrary SQL commands [1][2].

Exploitation

An attacker must first authenticate to the jeecg-boot application, potentially using default credentials. Once logged in, they navigate to the visual design menu, select report design, and create a new report. By adding a new SQL dataset and injecting a malicious payload (e.g., a UNION SELECT statement), the attacker can execute arbitrary SQL queries against the underlying database [2].

Impact

Successful exploitation enables the attacker to retrieve sensitive information from the database, such as all schema names via the information_schema.SCHEMATA table. This can lead to full data exfiltration, including user credentials and other confidential data stored in the database [2].

Mitigation

As of the publication date, no official patch has been released by the vendor. Users are advised to restrict access to the report design functionality to trusted users only and to apply input validation or parameterized queries as a workaround until a fix is available [1][2].