JeecgBoot Remote Code Execution Vulnerability via Unsafe Reflection

A remote code execution vulnerability has been identified in JeecgBoot versions through 3.9.1. The issue arises from unsafe reflection in the FillRuleUtil component, specifically within the SysFillRuleController.edit() method. The vulnerability allows authenticated users to inject malicious class names into the ruleClass parameter of existing fill rules. This injected payload is executed when an administrator creates a department, leading to arbitrary code execution.

Impact

Exploitation of this vulnerability allows for second-order remote code execution on the server.

Reproduction

To reproduce this vulnerability, first identify the ID of an existing fill rule. Then, send a POST request to the /sys/fillRule/edit endpoint, injecting a malicious class name into the ruleClass field. After the malicious class name is stored in the database, an administrator can trigger the execution by creating a new department through the /sys/sysDepart/add endpoint. This process will execute the injected payload, resulting in remote code execution.

Remediation

The vulnerability has been fixed in JeecgBoot version 3.9.2.