CVE-2021-37306
📋 TL;DR
CVE-2021-37306 is an insecure permissions vulnerability in jeecg-boot that allows remote attackers to check if a username exists without authentication. This information disclosure can help attackers identify valid usernames for brute-force attacks. All jeecg-boot installations up to version 2.4.5 are affected.
💻 Affected Systems
- jeecg-boot
📦 What is this software?
Jeecg by Jeecg
⚠️ Risk & Real-World Impact
Worst Case
Attackers enumerate all valid usernames, then perform credential stuffing or brute-force attacks to gain unauthorized access, potentially compromising the entire system.
Likely Case
Attackers identify administrative accounts and target them with focused attacks, leading to privilege escalation and data exposure.
If Mitigated
With proper authentication controls, the impact is limited to username enumeration, which still aids attackers in reconnaissance.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable endpoint with different usernames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.6 and later
Vendor Advisory: https://github.com/jeecgboot/jeecg-boot/issues/2794
Restart Required: Yes
Instructions:
1. Update jeecg-boot to version 2.4.6 or later. 2. Restart the application server. 3. Verify the fix by testing the API endpoint.
🔧 Temporary Workarounds
Block vulnerable API endpoint
allConfigure web application firewall or reverse proxy to block requests to /sys/user/checkOnlyUser
# Example nginx location block
location ~ ^/sys/user/checkOnlyUser { deny all; }
Implement authentication middleware
allAdd authentication requirement to the vulnerable endpoint in application code
# Requires code modification - add @RequiresPermissions or similar annotation to controller method
🧯 If You Can't Patch
- Implement strict rate limiting on API endpoints to prevent username enumeration
- Deploy WAF with rules to detect and block suspicious username checking patterns
🔍 How to Verify
Check if Vulnerable:
Send HTTP GET request to /sys/user/checkOnlyUser?username=admin without authentication. If it returns user existence information, system is vulnerable.Check Version:
Check application.properties or pom.xml for jeecg-boot version, or use: curl -s http://hostname/actuator/info | grep versionVerify Fix Applied:
After patching, the same request should return authentication error or 403 Forbidden.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to /sys/user/checkOnlyUser with different username parameters
- Unusual number of 200 responses from unauthenticated API calls
Network Indicators:
- HTTP traffic patterns showing sequential username enumeration attempts
- Unusual volume of requests to user management endpoints
SIEM Query:
source="web_logs" AND uri="/sys/user/checkOnlyUser" AND status=200 AND NOT user_agent="monitoring_tool" | stats count by src_ip