JeecgBoot Improper Authorization Vulnerability in Data Rule Query Endpoint

A vulnerability exists in JeecgBoot versions prior to 3.9.0, specifically in the data rule query endpoint. The issue arises in the loadDatarule function, where the application fails to properly validate tenant ownership for the department and role IDs provided as path parameters. This lack of validation allows attackers to access and retrieve data permission rule configurations from other tenants, potentially leading to unauthorized access control bypasses. The vulnerability can be exploited remotely, but requires knowledge of the target tenant's department ID, role ID, and permission ID. The exploit has been made public.

Impact

Exploitation of this vulnerability leads to unauthorized cross-tenant data permission rule disclosure, allowing attackers to access sensitive permission control information from other tenants. This could be used to bypass access controls or to map out the permission architecture of the target tenant, especially when combined with other vulnerabilities.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GET request to the /sys/sysDepartRole/datarule/{permissionId}/{departId}/{roleId} endpoint, using a valid authorization token. The request must include the department ID, role ID, and permission ID of a victim tenant. The API response will include the data permission rule configuration of the target tenant, which can be verified by cross-referencing with an administrator account from that tenant.

Remediation

Implement tenant ownership validation for departments and roles before processing data rule queries. Ensure that only department administrators or system administrators can access data permission rules, and log all data permission rule query operations for security auditing.