JeecgBoot SQL Injection Vulnerability in JSON Object Handler

A SQL injection vulnerability has been identified in JeecgBoot versions through 3.9.1. The issue resides in the JSON Object Handler component, specifically within the '/sys/dict/loadTreeData' API endpoint. The vulnerability is triggered by manipulating the 'condition' parameter, which is processed without proper validation or sanitization, allowing for the injection of malicious SQL that can be executed on the database. This vulnerability can be exploited remotely by authenticated users with a valid JWT token.

Impact

Exploitation of this vulnerability allows for UNION-based SQL injection, where an attacker can exfiltrate data from the database. This includes sensitive information such as admin password hashes, which could be used for further exploitation.

Reproduction

To reproduce this vulnerability, send a GET request to the '/sys/dict/loadTreeData' endpoint with a crafted 'condition' parameter that includes the '_tableFilterSql' key. The value should be a SQL injection payload, such as a UNION SELECT statement. Ensure that the request includes a valid JWT token in the 'X-Access-Token' header.

Remediation

The vendor has acknowledged the issue and stated that it should have been fixed, but no official patch is available yet.