Lucene search

GitHub Advisory DatabaseGHSA-26HM-R6MG-963C

HistoryJan 26, 2022 - 12:01 a.m.

SQL Injection in JeecgBoot

2022-01-2600:01:25

CWE-89

GitHub Advisory Database

github.com

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

54.5%

JSON

In JeecgBoot 3.0, there is a SQL injection vulnerability that can operate the database with root privileges. A patch has been released on the repository’s master branch.

Affected configurations

Vulners

Node

trusted_boot_projecttrusted_bootRange≤3.0

CPENameOperatorVersion
org.jeecgframework.boot:jeecg-boot-base-corele3.0
org.jeecgframework.boot:jeecg-boot-basele3.0

CPE	Name	Operator	Version
	org.jeecgframework.boot:jeecg-boot-base-core	le	3.0
	org.jeecgframework.boot:jeecg-boot-base	le	3.0

References

github.com/advisories/GHSA-26hm-r6mg-963c

github.com/jeecgboot/jeecg-boot/commit/baefc1338dd03de36384ce7d5846b08041b488d0

github.com/jeecgboot/jeecg-boot/issues/3331

nvd.nist.gov/vuln/detail/CVE-2021-46089

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

54.5%

JSON

Related for GHSA-26HM-R6MG-963C