JeecgBoot Improper Authorization Vulnerability in Department Role Query Endpoint

A vulnerability exists in JeecgBoot versions prior to 3.9.0, specifically in the queryPageList function of the /sys/sysDepartRole/list endpoint. This vulnerability allows for improper authorization by manipulating the deptId parameter, enabling cross-tenant information disclosure. The issue arises because the application fails to validate whether the specified department ID belongs to the current tenant, allowing attackers to access sensitive organizational data from other tenants. The vulnerability can be exploited remotely, but requires knowledge of the target tenant's department ID and a valid login session.

Impact

Exploitation of this vulnerability leads to unauthorized access to another tenant's department role information, including sensitive data such as role codes, names, and permission scopes. This cross-tenant data leakage violates the isolation principles of multi-tenant systems, potentially breaches data protection regulations, and could be exploited for further attacks.

Reproduction

To reproduce this vulnerability, log into the JeecgBoot application as an authenticated user. Ensure that the system's multi-tenancy mode is enabled. Once logged in, send a GET request to the /sys/sysDepartRole/list endpoint, including a department ID from a different tenant. The response will contain the department role information from the target tenant, confirming the successful exploitation of the vulnerability.

Remediation

To address this vulnerability, implement server-side validation to ensure that the department ID belongs to the current tenant. This can be done by checking the tenant ID associated with the department before allowing access to the requested data. Additionally, enable database-level isolation using MyBatis-Plus multi-tenancy plugin to automatically filter data at the SQL level.