CVE-2023-34602
Description
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryTableDictItemsByCode at org.jeecg.modules.api.controller.SystemApiController.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in JeecgBoot <=3.5.1 via queryTableDictItemsByCode allows unauthenticated attackers to extract sensitive data.
Vulnerability
Overview
The vulnerability is a SQL injection flaw in the queryTableDictItemsByCode method of SystemApiController in JeecgBoot up to version 3.5.1 [1]. The root cause is that user-supplied table and field names are unsafely interpolated into SQL queries using MyBatis' ${} syntax without adequate sanitization. The existing blacklist filter was bypassed, as reported in the issue [4] and fixed in commit [3], which added validation to reject table/field names containing double hyphens (--) and other special characters.
Exploitation
An attacker can exploit this by sending a crafted HTTP request to the vulnerable endpoint. The proof-of-concept URL from the issue shows parameters such as table=sys_user and text=password as "text", username as "value" from sys_user --&code=username [4]. The -- sequence comments out the remainder of the SQL statement, allowing the attacker to control the query output and retrieve arbitrary columns from arbitrary tables. No authentication is required, making the attack surface easily accessible over the network.
Impact
Successful exploitation enables an unauthenticated attacker to extract sensitive information from the database, including usernames, password hashes, and salt values from the sys_user table [4]. This could lead to account compromise and further lateral movement within the application.
Mitigation
The vulnerability has been patched in a later commit [3] by adding a check to block special strings like -- in table and field names. Users should upgrade to a version newer than 3.5.1, such as the latest release 3.9.2 [1], which likely includes this fix. There is no known workaround other than applying the patch or upgrading.
- GitHub - jeecgboot/JeecgBoot: AI 低代码平台,「低代码 + 零代码」双模式驱动:低代码一键生成前后端代码,零代码 5 分钟搭建系统,AI Skills 一句话画流程、设计表单、生成整套系统。内置 AI聊天、知识库、流程编排、MCP插件等,兼容主流大模型。引领「AI 生成 → 在线配置 → 代码生成 → 手工合并->AI修改」开发模式,消除 Java 项目 80% 的重复工作,提效而不失灵活。
- issues/4983 SQL Injection in 3.5.1 #4983 · jeecgboot/JeecgBoot@dd7bf10
- SQL Injection in 3.5.1
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jeecgframework.boot:jeecg-boot-parentMaven | < 3.5.1 | 3.5.1 |
Affected products
1Patches
1dd7bf104e7edissues/4983 SQL Injection in 3.5.1 #4983
1 file changed · +51 −1
jeecg-boot-base-core/src/main/java/org/jeecg/common/util/security/AbstractQueryBlackListHandler.java+51 −1 modified@@ -3,6 +3,8 @@ import lombok.extern.slf4j.Slf4j; import java.util.*; +import java.util.regex.Matcher; +import java.util.regex.Pattern; /** * 查询表/字段 黑名单处理 @@ -21,6 +23,11 @@ public abstract class AbstractQueryBlackListHandler { */ public static Map<String, String> ruleMap = new HashMap<>(); + /** + * 以下字符不能出现在表名中或是字段名中 + */ + public static final Pattern ILLEGAL_NAME_REG = Pattern.compile("[-]{2,}"); + static { ruleMap.put("sys_user", "password,salt"); } @@ -53,7 +60,10 @@ public boolean isPass(String sql) { return true; } log.info("--获取sql信息--", list.toString()); - boolean flag = true; + boolean flag = checkTableAndFieldsName(list); + if(flag == false){ + return false; + } for (QueryTable table : list) { String name = table.getName(); String fieldString = ruleMap.get(name); @@ -73,6 +83,46 @@ public boolean isPass(String sql) { return flag; } + /** + * 校验表名和字段名是否有效,或是是否会带些特殊的字符串进行sql注入 + * issues/4983 SQL Injection in 3.5.1 #4983 + * @return + */ + private boolean checkTableAndFieldsName(List<QueryTable> list){ + boolean flag = true; + for(QueryTable queryTable: list){ + String tableName = queryTable.getName(); + if(hasSpecialString(tableName)){ + flag = false; + log.warn("sql黑名单校验,表名【"+tableName+"】包含特殊字符"); + break; + } + Set<String> fields = queryTable.getFields(); + for(String name: fields){ + if(hasSpecialString(name)){ + flag = false; + log.warn("sql黑名单校验,字段名【"+name+"】包含特殊字符"); + break; + } + } + } + return flag; + } + + /** + * 是否包含特殊的字符串 + * @param name + * @return + */ + private boolean hasSpecialString(String name){ + Matcher m = ILLEGAL_NAME_REG.matcher(name); + if (m.find()) { + return true; + } + return false; + } + + /** * 查询的表的信息 */
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.