RUoYi Privilege Escalation Vulnerability
Vulnerability
A privilege escalation vulnerability has been identified in RUoYi version 4.8.0. This issue allows remote attackers to manipulate the jobId parameter in requests to the /monitor/job/detail/{jobId} endpoint, thereby accessing job scheduling logs of other users without authorization. The vulnerability arises from inadequate authorization checks in the application.
Impact
Exploitation of this vulnerability allows for unauthorized access to sensitive information, specifically job scheduling logs of other users, which could be misused for further attacks or to gain additional privileges within the application.
Reproduction
To reproduce this vulnerability, access the /monitor/job/detail/{jobId} endpoint. Modify the jobId parameter to request scheduling logs from other users. The application will return the logs without proper authorization, exposing sensitive information.
Remediation
Users are advised to update to RUoYi version 4.8.1, where this vulnerability has been addressed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.