Vulnerability description
JeecgBoot is an open source low-code development platform, and building block reports are the low-code report components.
In the affected version of JeecgBoot, because the jeecg-boot/jmreport/testConnection Api interface is not authenticated and the dbUrl parameter is not restricted, when the application side has H2 database driver dependencies, the attacker sends an http request containing malicious dbUrl parameters remotely execute arbitrary code.
Vulnerability name | jeecg-boot/building block report based on the arbitrary code execution vulnerability driven by H2 |
---|---|
Vulnerability type | code injection |
Discovery time | 2023/8/11 |
Vulnerability Breadth | wide |
MPS number | MPS-bjs4-n6dm |
CVE number | - |
CNVD number | - |
Sphere of influence
JeecgBoot@[3.0, 3.5.3]
org.jeecgframework.jimureport:jimureport-spring-boot-starter@(-∞, 1.6.0]
Repair plan
Avoid direct external exposure of jeecg-boot/jmreport/testConnection Api interface
reference link
https://www.oscs1024.com/hd/MPS-bjs4-n6dm
About Murphy Security
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj
The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj