CVE-2022-22880
📋 TL;DR
Jeecg-boot v3.0 contains a SQL injection vulnerability in the /jeecg-boot/sys/user/queryUserByDepId endpoint via the code parameter. This allows attackers to execute arbitrary SQL commands on the database. Organizations using Jeecg-boot v3.0 for rapid development are affected.
💻 Affected Systems
- Jeecg-boot
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, authentication bypass, and potential remote code execution on the database server.
Likely Case
Unauthorized data access, extraction of sensitive user information, and potential privilege escalation within the application.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
Exploitation requires access to the vulnerable endpoint but SQL injection techniques are well-documented and easily automated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.1 or later
Vendor Advisory: https://github.com/jeecgboot/jeecg-boot/issues/3347
Restart Required: Yes
Instructions:
1. Upgrade Jeecg-boot to version 3.1 or later. 2. Replace the vulnerable code with parameterized queries. 3. Restart the application server.
🔧 Temporary Workarounds
Input Validation Filter
allImplement strict input validation for the code parameter to only allow expected characters.
Implement regex validation: ^[a-zA-Z0-9_-]+$
WAF Rule
allDeploy web application firewall rules to block SQL injection patterns targeting the vulnerable endpoint.
WAF rule: Block requests to /jeecg-boot/sys/user/queryUserByDepId containing SQL keywords in parameters
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the vulnerable endpoint
- Apply database-level controls: restrict application database user permissions to minimum required
🔍 How to Verify
Check if Vulnerable:
Test the /jeecg-boot/sys/user/queryUserByDepId endpoint with SQL injection payloads in the code parameter.Check Version:
Check Jeecg-boot version in application properties or via version endpoint if available.Verify Fix Applied:
Verify that parameterized queries are implemented and SQL injection attempts no longer succeed.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts following SQL injection patterns
- Requests to vulnerable endpoint with suspicious parameters
Network Indicators:
- HTTP requests to /jeecg-boot/sys/user/queryUserByDepId containing SQL keywords
- Unusual database connection patterns from application server
SIEM Query:
source="web_logs" AND uri="/jeecg-boot/sys/user/queryUserByDepId" AND (param="code" AND value MATCH "(?i)(union|select|insert|update|delete|drop|exec|--|#)")