CVE-2023-38905

Vulnerability

Overview

CVE-2023-38905 is a time-based blind SQL injection vulnerability found in JeecgBoot versions 3.5.0 and earlier. The flaw resides in the /sys/duplicate/check API endpoint, which fails to properly sanitize user-supplied input passed through the checksql parameter. Attackers can bypass security filters by using URL-encoded whitespace characters such as %09 to inject SQL payloads that include functions like sleep(), Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE [1][2][4].

Exploitation

Method

The attack requires no authentication? the provided reference shows that an attacker can send a crafted GET request with a valid X_ACCESS_TOKEN (obtainable through normal login) to the vulnerable endpoint. By manipulating the fieldName parameter with a time-delay payload such as if(user()='root@localhost',sleep(0),sleep(0)), the attacker can observe response delays to infer information bit by bit, confirming successful injection when the server pauses for the specified sleep duration [2][4].

Impact

Successful exploitation allows a remote attacker to perform time-based blind SQL injection, potentially extracting sensitive data from the database (e.g., user credentials, application secrets) or causing a denial of service through heavy queries using Benchmark or similar functions. The vulnerability is classified as critical due to its low complexity and the ability to compromise data integrity and confidentiality [3].

Mitigation

The JeecgBoot project maintainers have acknowledged the issue and provided a fix referenced in GitHub issue #4737 [2][4]. Users are strongly advised to upgrade to a patched version (post-3.5.0) or apply the recommended input validation and parameterized query changes to the /sys/duplicate/check endpoint. As of the latest available information, no public exploit code has been released, but the vulnerability details are publicly known [1][4].