Primary

Context

hope-boot Incorrect Access Control Vulnerability in User Edit Component

Vulnerability

A vulnerability allowing authentication bypass has been identified in hope-boot version 1.0.0. This issue arises from incorrect access control in the '/user/edit/' component, which allows attackers to bypass authentication by sending a crafted GET request. The vulnerability is rooted in the use of an insecure version of Apache Shiro for authentication, leaving certain interfaces unprotected and exploitable.

Impact

Exploitation of this vulnerability allows for authentication bypass, enabling unauthorized access to user-editing functionalities.

Reproduction

To reproduce this vulnerability, send a GET request to the '/user/edit/1' endpoint. Include the 'Host' header with the value 'localhost:8886' and the 'User-Agent' header indicating the use of Apifox 1.0.0. This request will bypass authentication and gain access to the user edit interface.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

hope-boot Incorrect Access Control Vulnerability in User Edit Component

Vulnerability

Impact

Reproduction

Affected Products

java-aodeng hope-boot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating