CVE-2023-42268
Description
Jeecg boot up to v3.5.3 was discovered to contain a SQL injection vulnerability via the component /jeecg-boot/jmreport/show.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
JeecgBoot up to v3.5.3 has a SQL injection vulnerability in the /jeecg-boot/jmreport/show endpoint, allowing unauthenticated boolean blind SQL injection.
Vulnerability
Overview CVE-2023-42268 is a SQL injection vulnerability found in JeecgBoot, an AI-driven low-code development platform. The vulnerability exists in versions up to and including v3.5.3, specifically within the /jeecg-boot/jmreport/show endpoint. The root cause is insufficient input sanitization, allowing an attacker to inject malicious SQL queries through crafted requests. The official description and issue tracker confirm the flaw is present in the org/jeecg/modules/jmreport/report/controller component, which fails to properly filter user-supplied parameters before passing them to database queries [2][3].
Exploitation
Details Exploitation does not require authentication, making it accessible to any remote attacker. The vulnerability is exploitable via boolean blind SQL injection techniques. The application employs a blacklist filter that blocks keywords such as exec, information_schema, insert, delete, update, and others. However, this blacklist can be bypassed using careful blind injection payloads that avoid those blocked terms. By observing the application's response differences (boolean-based inference), an attacker can extract sensitive data from the database without needing direct error messages [3]. The affected endpoint is exposed to both authenticated and unauthenticated users, widening the attack surface.
Impact
Successful exploitation allows an attacker to retrieve arbitrary data from the underlying database. Since the vulnerability is unauthenticated and can be exploited remotely, it poses a significant risk to confidentiality. An attacker could extract user credentials, session tokens, configuration secrets, or other sensitive information stored in the database. The blacklist bypass technique makes it possible to enumerate database content without triggering alarms or being blocked by simple keyword filters.
Mitigation
Status As of the latest analysis, JeecgBoot version 3.5.3 is the last affected release. The project's GitHub repository indicates that subsequent versions (e.g., 3.9.2) have been released, but the specific fix commit is not explicitly referenced in the issue. Administrators are strongly advised to upgrade to the latest available version to remediate this vulnerability. No official workaround has been documented; therefore, upgrading is the recommended course of action [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jeecgframework.boot:jeecg-boot-parentMaven | <= 3.5.3 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-m7vh-pgfq-v4rqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-42268ghsaADVISORY
- github.com/jeecgboot/jeecg-boot/issues/5311ghsaWEB
News mentions
0No linked articles in our index yet.