JeecgBoot Improper Authorization Vulnerability in Department Role Management

A vulnerability exists in JeecgBoot versions prior to 3.9.0, specifically in the 'getDeptRoleList' function of the 'SysDepartRoleController'. This vulnerability allows for improper authorization by manipulating the 'departId' parameter in a GET request to the 'getDeptRoleList' endpoint. The issue arises because the application fails to validate tenant ownership, enabling attackers to access role information from other tenants' departments. The vulnerability can be exploited remotely, but requires a valid login session and knowledge of the target tenant's department ID.

Impact

Exploitation of this vulnerability leads to cross-tenant information disclosure, allowing attackers to access department role information from other tenants, including role names, codes, and descriptions. This exposure of role data can reveal an organization's departmental structure and management hierarchy, and provides insights that could be used for further privilege escalation attacks.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GET request to the '/sys/sysDepartRole/getDeptRoleList' endpoint, including a 'departId' parameter that corresponds to a department in a different tenant. The 'userId' parameter can be included but is not utilized by the application. The response will include the role information from the specified department, which can be verified by cross-referencing with a legitimate account from that tenant.

Remediation

To address this vulnerability, implement tenant ownership validation before querying department roles. Ensure that the 'departId' belongs to the current tenant and add tenant ID filtering to role queries. Additionally, utilize the 'userId' parameter for permission verification, establish database-level tenant isolation, and log all role query operations, particularly cross-tenant access attempts.