SQL Injection Vulnerability in Jeecg-boot Product by Jeecg
CVE-2023-38905

5.5MEDIUM

Key Information:

Vendor: Jeecg
Status: Jeecg Boot
Vendor: CVE Published:; 17 August 2023

What is CVE-2023-38905?

Jeecg-boot versions up to and including 3.5.0 are susceptible to an SQL injection vulnerability that can be exploited by a local attacker. This exploit allows the attacker to execute arbitrary SQL commands, potentially leading to a denial of service through functions such as Benchmark, PG_Sleep, DBMS_Lock.Sleep, Waitfor, DECODE, and DBMS_PIPE.RECEIVE_MESSAGE. Organizations using affected versions of Jeecg-boot should prioritize applying patches to mitigate the risk.

References

https://github.com/jeecgboot/jeecg-boot/issues/4737

https://gist.github.com/wealeson1/e24fc8575f4e051320d69e9...

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 17, 2023
Vulnerability Reserved
Jul 25, 2023