CVE-2023-34603
Description
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictInfo at org.jeecg.modules.api.controller.SystemApiController.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JeecgBoot up to v3.5.1 has a SQL injection in queryFilterTableDictInfo due to unsanitized MyBatis ${} expressions.
Root
Cause
CVE-2023-34603 describes a SQL injection vulnerability in JeecgBoot, a low-code development platform, affecting versions up to 3.5.1. The flaw resides in the queryFilterTableDictInfo method of the SystemApiController class (package org.jeecg.modules.api.controller). According to the official issue report, the root cause is the use of MyBatis' ${expression} syntax for dynamic SQL parameters, which directly interpolates user input without proper sanitization or parameterization [3]. The application's built-in SQL injection detection can be bypassed, allowing the attacker to inject arbitrary SQL fragments.
Attack
Surface & Exploitation
The vulnerable endpoint is accessible at /sys/api/queryFilterTableDictInfo and accepts parameters such as table, text, code, and filterSql. An unauthenticated or low-privilege attacker can craft a request (e.g., injecting into the text parameter) to modify the query structure. For example, the provided proof-of-concept payload in the GitHub issue uses text=password as "text", username as "value" from sys_user -- to extract credentials from the sys_user table [3]. No special privileges are mentioned as a prerequisite.
Impact
Successful exploitation allows an attacker to retrieve arbitrary data from the underlying database, including sensitive user credentials and other confidential information stored in the application database. This could lead to privilege escalation, data exfiltration, or further compromise of the system. The vulnerability is classified with a CVSS severity that reflects potential high impact on confidentiality [2].
Mitigation
Status
At the time of publication (June 2023), the project maintainers had been notified via the GitHub issue tracker, but no immediate patch was confirmed for versions beyond 3.5.1. Users are advised to upgrade to the latest available version (3.9.2 as of April 2026) and apply input validation and parameterized queries to prevent SQL injection. No known workaround beyond code-level fixes has been documented [1][3].
- GitHub - jeecgboot/JeecgBoot: AI 低代码平台,「低代码 + 零代码」双模式驱动:低代码一键生成前后端代码,零代码 5 分钟搭建系统,AI Skills 一句话画流程、设计表单、生成整套系统。内置 AI聊天、知识库、流程编排、MCP插件等,兼容主流大模型。引领「AI 生成 → 在线配置 → 代码生成 → 手工合并->AI修改」开发模式,消除 Java 项目 80% 的重复工作,提效而不失灵活。
- NVD - CVE-2023-34603
- org.jeecg.modules.api.controller.SystemApiController.queryFilterTableDictInfo方法导致SQL注入
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jeecgframework.boot:jeecg-boot-parentMaven | < 3.5.1 | 3.5.1 |
Affected products
2- JeecgBoot/JeecgBootdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-cvgc-465m-cw9gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-34603ghsaADVISORY
- github.com/jeecgboot/jeecg-boot/issues/4984ghsaWEB
News mentions
0No linked articles in our index yet.