CVE-2024-51164

Vulnerability

The JEPaaS rapid application development platform version 7.2.8 contains a SQL injection vulnerability in the /je/login/btnLog/insertBtnLog endpoint. The BtnLogController.java class constructs an SQL INSERT statement by directly concatenating multiple user-supplied HTTP request parameters (btnTypeName, btnTypeCode, btnNatureCode, btnNatureName, funcName, btnName, btnId) without any sanitization or parameterized query usage [2]. This unsanitized concatenation allows an attacker to inject arbitrary SQL clauses.

Exploitation

An unauthenticated remote attacker can send a crafted POST request to /je/login/btnLog/insertBtnLog with malicious payloads in any of the vulnerable parameters. The attacker does not require any special network position beyond HTTP access to the target JEPaaS instance. The injection occurs because the application passes the raw parameter values into an SQL INSERT statement [2]; by including SQL metacharacters and commands, the attacker can break out of the intended query structure.

Impact

Successful exploitation enables the attacker to execute arbitrary SQL queries against the underlying database. The description states this allows retrieval of all information stored in the database [1][2]. The impact is a complete compromise of data confidentiality, and depending on database user permissions, could extend to data integrity via UPDATE or DELETE operations or potentially lead to operating system command execution if the database server has sufficient privileges.

Mitigation

As of the publication date (2024-11-15), no fixed version of JEPaaS has been released that addresses CVE-2024-51164. The vendor repository at Gitee [1] does not mention a patch. Users should apply strict input validation and use parameterized queries (prepared statements) in the insertBtnLog endpoint as a workaround, or restrict network access to the vulnerable endpoint until an official patch is available. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of writing.