CVE-2023-40989

SQL injection vulnerbility in jeecgboot jeecg-boot v 3.0, 3.5.3 that allows a remote attacker to execute arbitrary code via a crafted request to the report/jeecgboot/jmreport/queryFieldBySql component.

Published: Sep 22, 2023
Updated: May 9, 2024
CVE: CVE-2023-40989
GHSA: GHSA-rwhx-6hx7-pqc8
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
jeecg / jeecg_boot	3.0	3.0.x
jeecg / jeecg_boot	3.5.3	3.5.3.x
org.jeecgframework.boot / jeecg-boot-common	-	3.6.0

https://github.com/jeecgboot/jeecg-boot/commit/473875a9d261780a3400cf6f8260ca441b768ed1
https://github.com/jeecgboot/jeecg-boot/commit/56e81fbf7bce11d2762b691f5d965b2265be608
https://github.com/jeecgboot/jeecg-boot/commit/87677df925e55e51233bf740433b30a751fc7705
https://github.com/Zone1-Z/CVE-2023-40989/blob/main/CVE-2023-40989

Vulnerability Database

CVE-2023-40989

Deep Security Visibility Without the Complexity