CVE-2023-34603 in JeecgBoot
Summary
by MITRE • 06/19/2023
JeecgBoot up to v 3.5.1 was discovered to contain a SQL injection vulnerability via the component queryFilterTableDictInfo at org.jeecg.modules.api.controller.SystemApiController.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2025
The vulnerability identified as CVE-2023-34603 affects JeecgBoot versions up to v3.5.1 and represents a critical SQL injection flaw within the system's API controller component. This vulnerability specifically resides in the queryFilterTableDictInfo method located at org.jeecg.modules.api.controller.SystemApiController, making it accessible through the application's web interface. The flaw allows attackers to manipulate database queries by injecting malicious SQL code through improperly sanitized input parameters, potentially compromising the entire database infrastructure underlying the application.
This SQL injection vulnerability stems from inadequate input validation and parameter sanitization within the API endpoint responsible for querying table dictionary information. The affected component processes user-supplied data without proper escaping or parameterization, creating an attack surface where malicious actors can execute arbitrary SQL commands against the database. The vulnerability is particularly concerning as it exists within a system API controller that likely handles administrative or sensitive data operations, potentially providing attackers with elevated privileges and access to confidential information.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable complete database compromise including data modification, deletion, or unauthorized access to sensitive information. Attackers exploiting this vulnerability could potentially escalate privileges, bypass authentication mechanisms, or extract confidential data from the system's database. The presence of this flaw in a framework version that may be widely deployed across enterprise environments increases the potential attack surface significantly, as multiple organizations could be simultaneously vulnerable to the same exploitation vector.
Security practitioners should prioritize immediate mitigation of this vulnerability through patching to the latest JeecgBoot version that addresses the SQL injection flaw. Organizations should also implement network-level protections including web application firewalls and database activity monitoring to detect potential exploitation attempts. The vulnerability aligns with CWE-89 which specifically addresses SQL injection weaknesses in software applications, and maps to ATT&CK technique T1190 for exploiting vulnerabilities in software applications. Additional mitigations include implementing proper input validation, using parameterized queries, and conducting regular security assessments of API endpoints to identify similar injection vulnerabilities that may exist within the application's codebase.