JeecgBoot SQL Injection Vulnerability in Online Report Parsing Endpoint

A SQL injection vulnerability has been identified in JeecgBoot versions 3.4.3 prior to 3.8.0. The issue resides in the online report interface at '/jeecg-boot/online/cgreport/head/parseSql'. The vulnerability allows attackers to bypass SQL blacklist restrictions, leading to potential unauthorized database access. The root cause is improper handling of subquery statements, which enables the injection of malicious SQL that can manipulate or access database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, send a GET request to the '/jeecg-boot/online/cgreport/head/parseSql' endpoint with a crafted SQL query that includes a subquery. The injected SQL should be designed to throw an exception that bypasses the application's SQL blacklist validation. Once the injection is successful, the same SQL query can be used to extract database information through the application's report generation features.

Remediation

Users are advised to update to JeecgBoot version 3.8.0 or later, where this vulnerability has been fixed.