JeecgBoot Improper Authorization Vulnerability in Position User List Function

A vulnerability exists in JeecgBoot versions prior to 3.9.0, specifically in the 'getPositionUserList' function of the 'SysPositionController'. This vulnerability allows for improper authorization by manipulating the 'positionId' parameter, enabling attackers to access user information from other tenants. The issue can be exploited remotely, although it requires a valid login session and knowledge of the target tenant's position ID. The vulnerability has been publicly disclosed and is available as a proof-of-concept exploit.

Impact

Exploitation of this vulnerability leads to unauthorized access to cross-tenant personnel information, including names, usernames, and department affiliations. This not only violates user privacy and data protection regulations but also exposes organizational structures, which can be leveraged for social engineering attacks, such as phishing or impersonation fraud. Additionally, the vulnerability allows for account enumeration by providing a list of valid usernames, which could be targeted in brute force attacks.

Reproduction

To reproduce this vulnerability, an authenticated user must send a GET request to the '/sys/position/getPositionUserList' endpoint, including a 'positionId' parameter that corresponds to a position in a different tenant. The response will contain user details from the target tenant, confirming the unauthorized access.

Remediation

To address this vulnerability, implement tenant ownership validation for position IDs before processing user list requests. Additionally, ensure that the 'getPositionUserList' method in the service layer only returns data for the current tenant. Applying data desensitization to sensitive user information and restricting access to position member lists based on permission levels can further enhance security. Finally, establish audit logging for position member queries to monitor and respond to abnormal query patterns.