CVE-2024-57606 – This SQL injection vulnerability in JeecgBoot v... (How to Fix)

Q: What is the severity of CVE-2024-57606?

CVE-2024-57606 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in JeecgBoot v3.7.2 allows remote attackers to execute arbitrary SQL commands through the getTotalData component. Attackers can potentially access, modify, or delete database information. Organizations using this specific version of JeecgBoot are affected.

📋 TL;DR

This SQL injection vulnerability in JeecgBoot v3.7.2 allows remote attackers to execute arbitrary SQL commands through the getTotalData component. Attackers can potentially access, modify, or delete database information. Organizations using this specific version of JeecgBoot are affected.

💻 Affected Systems

Products:

JeecgBoot

Versions: v3.7.2

Operating Systems: All platforms running JeecgBoot

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default configuration of JeecgBoot v3.7.2 through the getTotalData component.

📦 What is this software?

Jeecgboot by Guojusoft

View all CVEs affecting Jeecgboot →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized access to sensitive information stored in the database, including user credentials, personal data, and business information.

🟢

If Mitigated

Limited information disclosure if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects web applications that are typically internet-facing.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by malicious insiders or compromised internal systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of the application's database structure and SQL injection techniques, but no authentication is required to access the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after v3.7.2 (check GitHub issues for specific patch version)

Vendor Advisory: https://github.com/jeecgboot/JeecgBoot/issues/7665

Restart Required: No

Instructions:

1. Upgrade JeecgBoot to the latest version. 2. Review and apply the fix from GitHub issue #7665. 3. Implement parameterized queries for all database operations. 4. Validate and sanitize all user inputs.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and sanitization for the getTotalData component parameters

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting the getTotalData endpoint

🧯 If You Can't Patch

Implement network segmentation to restrict access to the vulnerable application
Deploy a web application firewall with SQL injection detection rules

🔍 How to Verify

Check if Vulnerable:

Test the getTotalData endpoint with SQL injection payloads to see if they execute

Check Version:

Check the application version in the admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts against the getTotalData component are properly rejected

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from the getTotalData endpoint
SQL error messages in application logs
Multiple failed login attempts following SQL injection patterns

Network Indicators:

HTTP requests to getTotalData with SQL keywords (SELECT, UNION, etc.)
Abnormal response sizes from database queries

SIEM Query:

source="web_logs" AND (uri="*getTotalData*" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2024-57606

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.12% exploit probability (30.8th percentile)

Published: February 7, 2025

Last Updated: September 29, 2025

🔗 References

https://github.com/jeecgboot/JeecgBoot/issues/7665 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-57606, you might also want to check these: