CVE-2024-12351 – This critical SQL injection vulnerability in JF... (How to Fix)

Q: What is the severity of CVE-2024-12351?

CVE-2024-12351 has a CVSS score of 6.3 (MEDIUM). This critical SQL injection vulnerability in JFinalCMS 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating the 'name' parameter in the findPage function. Attackers can potentially access, modify, or delete database content. All users running JFinalCMS 1.0 are affected.

📋 TL;DR

This critical SQL injection vulnerability in JFinalCMS 1.0 allows remote attackers to execute arbitrary SQL commands by manipulating the 'name' parameter in the findPage function. Attackers can potentially access, modify, or delete database content. All users running JFinalCMS 1.0 are affected.

💻 Affected Systems

Products:

JFinalCMS

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of JFinalCMS 1.0 are vulnerable regardless of configuration.

📦 What is this software?

Jfinalcms by Jwillber

View all CVEs affecting Jfinalcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access, data manipulation, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH - Remote exploitation possible without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems still vulnerable but attack surface reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized and public proof-of-concept exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement parameterized queries or input validation for the 'name' parameter in ContentModel.java

Modify src\main\java\com\cms\entity\ContentModel.java to use PreparedStatement instead of string concatenation

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

🧯 If You Can't Patch

Isolate the JFinalCMS instance behind a reverse proxy with SQL injection filtering
Implement strict network segmentation and limit database permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check if running JFinalCMS 1.0 by examining version files or application metadata

Check Version:

Check application configuration files or database version tables for '1.0'

Verify Fix Applied:

Test the findPage function with SQL injection payloads to confirm proper input validation

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed parameter manipulation attempts

Network Indicators:

SQL keywords in HTTP parameters (SELECT, UNION, etc.)
Unusual database query patterns

SIEM Query:

web_server_logs WHERE url_parameters CONTAINS 'SELECT' OR 'UNION' OR 'OR 1=1'

📊 Metadata

CVE ID: CVE-2024-12351

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

Published: December 9, 2024

Last Updated: December 11, 2024

🔗 References

https://github.com/hadagaga/vuln/blob/master/JFinalCMS/sql-1/SQL_injection_vulnerability.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.287271 Permissions Required,Third Party Advisory
https://vuldb.com/?id.287271 Permissions Required,Third Party Advisory
https://vuldb.com/?submit.456048 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12351, you might also want to check these: