JeecgBoot Improper Authentication Vulnerability in Multi-Tenant Management Module

A critical improper authentication vulnerability has been identified in JeecgBoot versions prior to 3.9.0, within the Multi-Tenant Management Module's SysTenantController. The vulnerability arises from a complete lack of authorization checks and significant business logic flaws, allowing any authenticated user to bypass multi-tenancy isolation and manipulate tenant memberships. Exploitation involves enumerating tenant IDs to retrieve sensitive information, such as house numbers, which are then used to join tenants and self-approve membership requests. This flaw disrupts the application's multi-tenancy model, potentially leading to unauthorized data access and organizational disruptions.

Impact

Exploitation of this vulnerability allows authenticated users to join any tenant without approval, access sensitive tenant data, and disrupt organizational structures by inviting others into the tenant.

Reproduction

The vulnerability can be reproduced by logging into the application as any user. First, enumerate tenant IDs using the 'queryById' endpoint to retrieve house numbers. Then, use the 'joinTenantByHouseNumber' endpoint to join a tenant using the leaked house number. Finally, self-approve the membership using the 'agreeOrRefuseJoinTenant' endpoint, effectively bypassing the approval process.

Remediation

Users are advised to update to JeecgBoot version 3.9.0 or later, where this vulnerability has been patched.