CVE-2024-51165

Vulnerability

A SQL injection vulnerability exists in JEPAAS version 7.2.8, specifically in the /je/rbac/rbac/loadLoginCount endpoint within the je-core-7.2.8.jar component. The dateVal parameter is directly concatenated into SQL queries without proper sanitization, as demonstrated in the provided code snippet [1]. Affected version: JEPAAS 7.2.8.

Exploitation

An attacker can exploit this vulnerability by sending a maliciously crafted HTTP POST request to the /je/rbac/rbac/loadLoginCount endpoint with a crafted dateVal parameter. No authentication is required if the endpoint is publicly accessible, allowing a remote user to execute arbitrary SQL commands via injection.

Impact

Successful exploitation allows the attacker to retrieve all information stored in the database, leading to complete data disclosure and a severe breach of confidentiality. The attacker can extract sensitive user data, internal records, and other database contents.

Mitigation

As of the publication date (2024-12-10), no official patch has been released for this vulnerability [1]. Users should implement input validation and parameterized queries to mitigate the risk. It is recommended to upgrade to a future patched version once available.