Login Sign Up

CVE-2021-46089

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2021-46089 is a critical SQL injection vulnerability in JeecgBoot 3.0 that allows attackers to execute arbitrary SQL commands with root database privileges. This affects all organizations using vulnerable versions of JeecgBoot, potentially exposing sensitive data and system control.

💻 Affected Systems

Products:
  • JeecgBoot
Versions: Version 3.0
Operating Systems: All platforms running JeecgBoot
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default installations of JeecgBoot 3.0. The vulnerability exists in the application code itself.

📦 What is this software?

Jeecg Boot by Jeecg

View all CVEs affecting Jeecg Boot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, privilege escalation to operating system, and full system takeover.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential lateral movement within the database environment.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database privilege separation in place.

🌐 Internet-Facing: HIGH - Web applications are typically internet-facing, making them directly accessible to attackers.
🏢 Internal Only: MEDIUM - Internal applications could still be exploited by malicious insiders or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are well-understood and often have public exploit code available. The root database access makes this particularly dangerous.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 3.0 (check latest releases)

Vendor Advisory: https://github.com/jeecgboot/jeecg-boot/issues/3331

Restart Required: Yes

Instructions:

1. Update JeecgBoot to the latest patched version. 2. Review and apply all security patches. 3. Restart the application server. 4. Test functionality after update.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries to prevent SQL injection

Database Privilege Reduction

all

Change database user from root to a limited privilege account

CREATE USER 'jeecguser'@'localhost' IDENTIFIED BY 'strongpassword';
GRANT SELECT, INSERT, UPDATE, DELETE ON jeecgdb.* TO 'jeecguser'@'localhost';
REVOKE ALL PRIVILEGES ON *.* FROM 'jeecgroot'@'localhost';

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) with SQL injection protection rules
  • Isolate the vulnerable system behind network segmentation and restrict database access

🔍 How to Verify

Check if Vulnerable:

Check if running JeecgBoot version 3.0. Review application logs for SQL injection attempts or unusual database queries.

Check Version:

Check application configuration files or version.txt in JeecgBoot installation directory

Verify Fix Applied:

Verify updated to version after 3.0. Test SQL injection payloads against the application to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts with SQL syntax
  • Long or malformed HTTP parameters

Network Indicators:

  • SQL keywords in HTTP requests (SELECT, UNION, INSERT, etc.)
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND ("SELECT *" OR "UNION SELECT" OR "' OR '1'='1")

📊 Metadata

CVE ID: CVE-2021-46089
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: January 25, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46089, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)