CVE-2024-6680
📋 TL;DR
This critical SQL injection vulnerability in witmy my-springsecurity-plus allows remote attackers to execute arbitrary SQL commands via the params.dataScope parameter in the /api/dept/build endpoint. Organizations using this software up to July 4, 2024 are affected, potentially exposing database contents and system integrity.
💻 Affected Systems
- witmy my-springsecurity-plus
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, data manipulation, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized data access and extraction, including sensitive user information, configuration data, and potentially authentication credentials stored in the database.
If Mitigated
Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.
🎯 Exploit Status
Exploit details have been publicly disclosed on Gitee and VulDB, making this easily exploitable by attackers with basic SQL injection knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2024-07-04
Vendor Advisory: https://gitee.com/witmy/my-springsecurity-plus/issues/IAAH8A
Restart Required: Yes
Instructions:
1. Update to the latest version of my-springsecurity-plus after 2024-07-04. 2. Review the Gitee issue for specific patch details. 3. Restart the application service. 4. Verify the fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Web Application Firewall (WAF) Rules
allImplement WAF rules to block SQL injection patterns targeting the /api/dept/build endpoint and params.dataScope parameter.
Endpoint Restriction
allBlock or restrict access to the /api/dept/build endpoint at the network or application level if not required for functionality.
🧯 If You Can't Patch
- Implement strict input validation and sanitization for the params.dataScope parameter
- Apply database permission restrictions to limit the impact of successful SQL injection
🔍 How to Verify
Check if Vulnerable:
Test the /api/dept/build endpoint with SQL injection payloads in the params.dataScope parameter and observe database errors or unexpected responses.Check Version:
Check application version through application metadata, configuration files, or build information specific to my-springsecurity-plus deployment.Verify Fix Applied:
After patching, attempt the same SQL injection tests and verify they are properly rejected or sanitized without database errors.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple rapid requests to /api/dept/build with varying parameters
- Database query patterns containing SQL injection payloads
Network Indicators:
- HTTP POST requests to /api/dept/build with SQL keywords in parameters
- Unusual database connection patterns from application servers
SIEM Query:
source="application_logs" AND ("params.dataScope" OR "/api/dept/build") AND ("SQL" OR "syntax" OR "error" OR "injection")