CVE-2024-51165 in JEPAAS
Summary
by MITRE • 12/10/2024
SQL injection vulnerability in JEPAAS7.2.8, via /je/rbac/rbac/loadLoginCount in the dateVal parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the DB.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/24/2025
The CVE-2024-51165 vulnerability represents a critical sql injection flaw in jePaas version 7.2.8 that specifically targets the /je/rbac/rbac/loadLoginCount endpoint. This vulnerability manifests through the dateVal parameter, which serves as the attack vector for malicious input manipulation. The flaw exists within the application's authentication and access control management system, making it particularly dangerous as it could compromise the entire rbac framework that governs user permissions and system access. The vulnerability's impact extends beyond simple data exfiltration as it undermines the fundamental security controls that protect organizational resources.
The technical exploitation of this vulnerability follows standard sql injection attack patterns where an attacker crafts malicious input to bypass proper authentication mechanisms. The dateVal parameter in the loadLoginCount endpoint does not properly sanitize or validate user input before incorporating it into database queries. This lack of input validation creates an environment where sql commands can be injected and executed with the privileges of the database user account. The vulnerability falls under the CWE-89 category of sql injection, which is classified as a high-risk weakness in software security. Attackers can leverage this flaw to perform unauthorized database operations including data retrieval, modification, or deletion of sensitive information stored within the jePaas system.
The operational impact of CVE-2024-51165 is severe and multifaceted, particularly within enterprise environments that rely on jePaas for critical business operations. Remote attackers can exploit this vulnerability without requiring any authentication credentials, making the attack surface extremely broad and difficult to detect. The ability to retrieve all information stored in the database represents a complete compromise of data confidentiality, potentially exposing user credentials, access logs, system configurations, and other sensitive organizational data. This vulnerability directly violates the principle of least privilege and could enable attackers to escalate their privileges within the system. The attack can be executed through simple web requests, making it accessible to attackers with minimal technical expertise. Organizations using jePaas 7.2.8 may experience significant security breaches, regulatory compliance violations, and potential financial losses due to unauthorized access to critical systems.
Mitigation strategies for CVE-2024-51165 should prioritize immediate patching of the jePaas application to the latest secure version that addresses this vulnerability. Organizations should implement proper input validation and parameterized queries throughout the application codebase, particularly in the rbac module where the vulnerability occurs. The implementation of web application firewalls and intrusion detection systems can help detect and block malicious sql injection attempts targeting this specific endpoint. Regular security testing including automated vulnerability scanning and manual penetration testing should be conducted to identify similar weaknesses in the application architecture. Organizations should also enforce network segmentation and limit access to the jePaas system through proper firewall rules and authentication controls. The vulnerability aligns with attack patterns documented in the mitre att&ck framework under the credential access and defense evasion tactics, highlighting the need for comprehensive security controls that address both the immediate threat and broader attack surface considerations.