Login Sign Up

CVE-2023-49371

9.8 CRITICAL
SQL Injection

📋 TL;DR

RuoYi versions up to 4.6 contain a SQL injection vulnerability in the /system/dept/edit endpoint that allows attackers to execute arbitrary SQL commands. This affects all deployments of RuoYi up to version 4.6 that have this endpoint accessible. Attackers can potentially read, modify, or delete database contents.

💻 Affected Systems

Products:
  • RuoYi
Versions: Up to and including v4.6
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments with the vulnerable endpoint accessible. The vulnerability is in the web application layer.

📦 What is this software?

Ruoyi by Ruoyi

View all CVEs affecting Ruoyi →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized data access, privilege escalation, or data manipulation in the RuoYi application database.

🟢

If Mitigated

Limited impact with proper input validation, WAF protection, and database permissions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authentication to access the /system/dept/edit endpoint. Public proof-of-concept demonstrates the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v4.7 or later

Vendor Advisory: https://github.com/ruoyi-vue/RuoYi

Restart Required: Yes

Instructions:

1. Upgrade RuoYi to version 4.7 or later. 2. Replace vulnerable files with patched versions. 3. Restart the application server.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation and parameterized queries for the /system/dept/edit endpoint

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns targeting the vulnerable endpoint

🧯 If You Can't Patch

  • Restrict network access to the RuoYi application to trusted users only
  • Implement database-level controls with minimal necessary permissions for application accounts

🔍 How to Verify

Check if Vulnerable:

Check RuoYi version in application interface or configuration files. If version is 4.6 or earlier, assume vulnerable.

Check Version:

Check ruoyi-admin/src/main/resources/application.yml or application interface for version information

Verify Fix Applied:

Verify RuoYi version is 4.7 or later and test the /system/dept/edit endpoint with SQL injection payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by /system/dept/edit access
  • SQL syntax errors in application logs

Network Indicators:

  • HTTP POST requests to /system/dept/edit with SQL keywords in parameters
  • Unusual database connection patterns from application server

SIEM Query:

source="web_logs" AND uri="/system/dept/edit" AND (param="' OR '1'='1" OR param LIKE "%SELECT%" OR param LIKE "%UNION%")

📊 Metadata

CVE ID: CVE-2023-49371
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 1, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-49371, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)