CVE-2023-34659

Vulnerability

Description

CVE-2023-34659 is an SQL injection vulnerability affecting JeecgBoot versions 3.5.0 and 3.5.1. The issue resides in the /jeecg-boot/jmreport/show interface, where the id parameter is directly concatenated into a SQL query without proper sanitization or parameterization. Source code analysis reveals that the controller processes POST requests to this endpoint, eventually reaching a MyBatis method that executes dynamically constructed SQL using string interpolation (${id}), allowing attackers to inject arbitrary SQL fragments [1][3].

Exploitation and

Attack Surface

The vulnerability is unauthenticated, meaning no prior authentication is required to exploit it. An attacker can craft a malicious JSON payload containing SQL injection strings in the id parameter of the params field. For example, a payload like {"id":"1' or '%1%' like (updatexml(0x3a,concat(1,(select database())),1)) or '%%' like '"} can be sent to the affected endpoint. This exploit leverages error-based injection (e.g., updatexml) to extract information from the database [2][3].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized disclosure of sensitive data, including database contents and potentially user credentials. The injection is blind/error-based, but the attacker can systematically enumerate the database schema and extract records [2][3].

Mitigation

Users of JeecgBoot 3.5.0 and 3.5.1 should upgrade to a patched version immediately. The issue was reported and fixed in later releases; the project's GitHub repository indicates that current versions (e.g., 3.9.2) are not affected. No workarounds have been publicly documented, so upgrading is the recommended course of action [1][2].