JeecgBoot Information Disclosure Vulnerability in Department Role Query Endpoint

An information disclosure vulnerability has been identified in JeecgBoot versions prior to 3.9.0. The issue arises in the 'getDeptRoleByUserId' function within the 'SysDepartRoleController' file. The vulnerability allows unauthorized access to user department role information by manipulating the 'departId' parameter, bypassing tenant validation. This could lead to cross-tenant permission leaks and unauthorized insights into user roles and responsibilities.

Impact

Exploitation of this vulnerability could result in unauthorized access to cross-tenant user role information, allowing attackers to analyze and map organizational permission structures. Additionally, it could disclose sensitive personnel information regarding department affiliations and roles, which could be used to identify high-privilege users for targeted attacks.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GET request to the '/sys/sysDepartRole/getDeptRoleByUserId' endpoint, including a valid 'userId' and 'departId' from a different tenant. The absence of tenant validation will allow the request to succeed and return the targeted user's role information.

Remediation

Implement tenant ownership validation for departments and users, ensuring that only authorized data is accessed. Add tenant ID filtering to database queries, restrict role queries to individual users for non-administrators, and log all role query operations, especially cross-tenant access attempts.