CVE-2020-28088
📋 TL;DR
This vulnerability allows attackers to upload arbitrary files to the jeecg-boot CMS system through the /jeecg-boot/sys/common/upload endpoint. Attackers can then execute arbitrary code on the server, potentially leading to complete system compromise. Organizations using jeecg-boot CMS version 2.3 are affected.
💻 Affected Systems
- jeecg-boot CMS
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server takeover with attacker gaining root/system-level access, data exfiltration, ransomware deployment, and lateral movement to other systems.
Likely Case
Webshell deployment leading to data theft, credential harvesting, and use as a pivot point for further attacks.
If Mitigated
Attack blocked at WAF/web application firewall level with file upload restrictions preventing malicious file execution.
🎯 Exploit Status
The vulnerability is simple to exploit with publicly available proof-of-concept code, requiring only HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.3 (check latest release)
Vendor Advisory: https://github.com/zhangdaiscott/jeecg-boot/issues/1888
Restart Required: Yes
Instructions:
1. Upgrade jeecg-boot to the latest version. 2. Restart the application server. 3. Verify the upload endpoint now validates file types and extensions properly.
🔧 Temporary Workarounds
WAF/Proxy File Upload Filtering
allConfigure web application firewall or reverse proxy to block malicious file uploads to the vulnerable endpoint.
# Example nginx location block:
location /jeecg-boot/sys/common/upload {
deny all;
}
# Or implement file type validation at proxy level
Application Server File Upload Restrictions
allConfigure application server to restrict file uploads to specific extensions and validate file content.
# For Tomcat: Configure web.xml with security constraints
# For Spring Boot: Implement MultipartFile validation with allowed extensions
🧯 If You Can't Patch
- Block access to /jeecg-boot/sys/common/upload endpoint at network firewall or WAF level
- Implement strict file upload validation in application code before the vulnerable endpoint processes files
🔍 How to Verify
Check if Vulnerable:
Attempt to upload a file with executable extension (like .jsp, .php, .exe) to http://[target]/jeecg-boot/sys/common/upload and check if it's accepted without validation.Check Version:
Check application version in web interface or examine application configuration files for version information.Verify Fix Applied:
Attempt the same file upload test after patching - it should be rejected with proper validation error messages.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to /jeecg-boot/sys/common/upload endpoint
- Files with executable extensions being written to upload directories
- HTTP 200 responses to upload requests with suspicious file types
Network Indicators:
- POST requests to /jeecg-boot/sys/common/upload with executable file content
- Subsequent requests to uploaded executable files
SIEM Query:
source="web_server" AND (url="/jeecg-boot/sys/common/upload" OR filename="*.jsp" OR filename="*.php" OR filename="*.exe")