JeecgBoot Improper Authorization Vulnerability in SysAnnouncementController

A vulnerability allowing improper authorization has been identified in JeecgBoot versions through 3.9.1, specifically within the SysAnnouncementController. This issue arises because all management endpoints in this controller lack the necessary permission annotations, such as @RequiresPermissions or @RequiresRoles. As a result, any authenticated user with a valid JWT can perform administrative actions on system announcements, including those created by other users. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for functional and horizontal privilege escalation, enabling unauthorized users to access and manipulate system-wide announcements.

Reproduction

To reproduce this vulnerability, log in with a low-privilege account to obtain a JWT. Then, send a POST request to the '/sys/annountCement/add' endpoint to create a fake announcement. After that, publish the announcement by calling the '/sys/annountCement/doReleaseData' endpoint with the ID of the newly created announcement.

Remediation

The vendor has confirmed this vulnerability and will provide a fix in the next release.