CVE-2024-51165 – This SQL injection vulnerability in JEPAAS 7.2.... (How to Fix)

Q: What is the severity of CVE-2024-51165?

CVE-2024-51165 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in JEPAAS 7.2.8 allows remote attackers to execute arbitrary SQL queries through the dateVal parameter in the /je/rbac/rbac/loadLoginCount endpoint. Successful exploitation could lead to complete database compromise, exposing all stored information including user credentials and sensitive business data. Organizations using JEPAAS 7.2.8 are affected.

📋 TL;DR

This SQL injection vulnerability in JEPAAS 7.2.8 allows remote attackers to execute arbitrary SQL queries through the dateVal parameter in the /je/rbac/rbac/loadLoginCount endpoint. Successful exploitation could lead to complete database compromise, exposing all stored information including user credentials and sensitive business data. Organizations using JEPAAS 7.2.8 are affected.

💻 Affected Systems

Products:

JEPAAS

Versions: 7.2.8

Operating Systems: All platforms running JEPAAS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of JEPAAS 7.2.8. No special configuration is required for exploitation.

📦 What is this software?

Jepaas by Ketr

View all CVEs affecting Jepaas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, credential theft, privilege escalation, and potential lateral movement within the network.

🟠

Likely Case

Unauthorized access to sensitive data including user credentials, personal information, and business data stored in the database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database access controls in place.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible remotely without authentication, making internet-facing instances particularly vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has publicly available proof-of-concept code, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Monitor JEPAAS vendor for official patch or advisory. 2. Apply patch immediately when available. 3. Test patch in non-production environment first.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the dateVal parameter before processing.

Implement parameterized queries or prepared statements for the loadLoginCount endpoint

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Add WAF rule: Block requests to /je/rbac/rbac/loadLoginCount containing SQL keywords in dateVal parameter

🧯 If You Can't Patch

Implement network segmentation to restrict access to JEPAAS instances
Deploy database monitoring to detect unusual SQL query patterns

🔍 How to Verify

Check if Vulnerable:

Test the /je/rbac/rbac/loadLoginCount endpoint with SQL injection payloads in the dateVal parameter (e.g., dateVal=2024-01-01' OR '1'='1).

Check Version:

Check JEPAAS version in application interface or configuration files; default installation shows version in admin panel.

Verify Fix Applied:

Retest with SQL injection payloads after implementing fixes; successful payloads should be rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts with SQL patterns in parameters
Requests to /je/rbac/rbac/loadLoginCount with suspicious dateVal values

Network Indicators:

HTTP requests containing SQL keywords (SELECT, UNION, etc.) in URL parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND url_path="/je/rbac/rbac/loadLoginCount" AND (param="dateVal" AND value MATCHES "[';]|UNION|SELECT")

📊 Metadata

CVE ID: CVE-2024-51165

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: December 10, 2024

Last Updated: June 24, 2025

🔗 References

https://abcc111.github.io/posts/CVE-2024-51165/ Exploit,Third Party Advisory
https://github.com/abcc111/vulns/blob/main/JEPaaS/SQL%20injection%20vulnerability%20in%20JEPaaS.md Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51165, you might also want to check these: