Primary

Context

RuoYi Insecure Role Assignment Vulnerability Allowing Privilege Escalation

Vulnerability

A vulnerability in RuoYi version 4.8.0 allows authenticated users to escalate privileges by assigning themselves higher-level roles. The issue arises because the role assignment interface fails to properly validate whether the new role has greater privileges than the current one. As a result, users can manipulate their roles to gain unauthorized access to additional functionalities.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, enabling users to gain access to higher-level roles and associated permissions within the application.

Reproduction

To reproduce this vulnerability, an authenticated user with a low-privilege role can access the user role assignment interface. The user can then select a role with higher privileges and assign it to themselves. This process bypasses the intended role validation, leading to unauthorized access.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

6.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.0

impact

5.0

exploitability

6.1

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

RuoYi Insecure Role Assignment Vulnerability Allowing Privilege Escalation

Vulnerability

Impact

Reproduction

Affected Products

RuoYi

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating