JeecgBoot Improper Authorization Vulnerability in Department Permission Data Rule Query

A vulnerability exists in JeecgBoot versions prior to 3.9.0, specifically within the Department Management Authorization Query Data Rule API. The issue arises from the API's failure to validate tenant ownership when querying department permission data rules, allowing attackers to access and disclose fine-grained data access control policies of other tenants. This vulnerability can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability leads to unauthorized access to cross-tenant data permission rules, allowing attackers to reconstruct the target tenant's permission management system and potentially exploit data leakage vulnerabilities.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GET request to the '/sys/sysDepartPermission/datarule/{permissionId}/{departId}' endpoint, using department IDs and permission IDs from a different tenant. The response will include unauthorized access to that tenant's data permission rules.

Remediation

Implement tenant ownership validation before querying department permissions, restrict data permission rule access to department or system administrators, apply role-based access control, and log all data permission rule query operations.