JeecgBoot Mass Assignment Vulnerability Allowing Identity Forgery

A mass assignment vulnerability has been identified in JeecgBoot versions prior to 3.9.1. This vulnerability allows authenticated users to inject values into user identification fields, such as 'fromUserId', 'toUserId', and 'createBy', thereby impersonating other users. The issue arises from the absence of proper access controls on certain endpoints, which allows for unauthorized manipulation of user identity data. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for identity impersonation, where an attacker can perform actions on behalf of another user, such as posting comments as that user or attributing actions to them.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/sys/comment/add' endpoint without the required permissions. The request must include injected values for 'fromUserId' and 'toUserId', which will be accepted and processed as if they were from the current user. This can be verified by checking the database for the injected user IDs. Similarly, the '/sys/checkRule/add' endpoint can be used to inject a 'createBy' value, impersonating another user when creating a check rule.

Remediation

Upgrading to JeecgBoot version 3.9.2 addresses this vulnerability by implementing proper access controls and ensuring that user identification fields are correctly managed.