JeecgBoot SQL Injection Vulnerability in Dictionary Lookup Endpoint

A SQL injection vulnerability has been identified in JeecgBoot versions through 3.9.1. The issue resides in the 'loadDict' endpoint of the 'SqlInjectionUtil' class, where the 'keyword' parameter is improperly sanitized before being concatenated into a SQL 'LIKE' clause. This flaw allows authenticated users to inject SQL logic and potentially access sensitive data from the database.

Impact

Exploitation of this vulnerability allows authenticated low-privileged users to perform blind SQL injection through the 'loadDict' endpoint. This could lead to unauthorized access to sensitive information, such as password hashes, from the 'sys_user' table.

Reproduction

To reproduce this vulnerability, authenticate as a low-privileged user and obtain a valid access token. Then, send a signed GET request to '/sys/dict/loadDict/{dictCode}' with an injected boolean expression in the 'keyword' parameter. The response will indicate whether the injected condition was true or false, allowing for SQL injection exploitation.

Remediation

The vulnerability has been fixed in version 3.9.2. Users are advised to update to this version.