JeecgBoot Improper Authorization Vulnerability in Department Permission Query

A privilege escalation vulnerability has been identified in JeecgBoot versions prior to 3.9.0. The issue arises in the 'queryDepartPermission' function within the 'SysPermissionController' file. The vulnerability allows for improper authorization by manipulating the 'departId' parameter in the department authorization menu query API. This flaw can be exploited remotely and is characterized by high complexity, as it requires knowledge of the target tenant's department ID and a valid login session. The vulnerability exposes the department's complete menu authorization configuration, allowing attackers to enumerate department IDs and obtain sensitive permission data from all tenants.

Impact

Exploitation of this vulnerability leads to unauthorized access to department menu authorization configurations across different tenants. This not only exposes sensitive functional module access but also allows for the mapping of the system's complete functional architecture by reverse-engineering permission IDs. Such intelligence can be leveraged for subsequent privilege escalation attacks by targeting high-privilege departments.

Reproduction

To reproduce this vulnerability, an attacker must have a valid login session and knowledge of the target tenant's department ID. Once these conditions are met, the attacker can send a GET request to the '/sys/permission/queryDepartPermission' endpoint, including the 'departId' parameter. The API response will contain the list of permission IDs for the queried department, which can be verified by cross-referencing with the permission configurations of the same department under a different tenant.

Remediation

To address this vulnerability, it is recommended to implement tenant ownership validation for departments before querying permissions. This can be done by checking if the department belongs to the current tenant and restricting permission queries to department administrators or system administrators. Additionally, applying data desensitization based on the querier's role and logging all permission query operations can help mitigate the risk.