JeecgBoot Improper Authorization Vulnerability in Tenant Batch Deletion

A vulnerability allowing improper authorization has been identified in JeecgBoot versions through 3.8.2. The issue resides in an unknown function of the file '/sys/tenant/deleteBatch', where the manipulation of the 'ids' argument leads to inadequate authorization checks. This vulnerability can be exploited remotely, although the complexity of the attack is considered high.

Impact

Exploitation of this vulnerability allows authenticated users to delete tenants without proper authorization, leading to permanent data loss, potential disruption of services for affected tenants, and significant operational and reputational damage to the organization.

Reproduction

To reproduce this vulnerability, an authenticated user must send a DELETE request to the '/sys/tenant/deleteBatch' endpoint, including the 'ids' of the tenants to be deleted as a query parameter. The request must be made with an authenticated user session that lacks the necessary administrative privileges.