| शीर्षक | Jeecg JeecgBoot 3.9.2 SQL Injection |
|---|
| विवरण | JeecgBoot up to version 3.9.2 suffers from a blind SQL injection vulnerability in the /sys/user/list endpoint.
The QueryGenerator.initQueryWrapper() method automatically maps all fields of the SysUser entity (including password and salt) as queryable columns with LIKE wildcard support. An authenticated attacker can send requests like:
GET /jeecg-boot/sys/user/list?password=c63*&username=admin
The "*" suffix triggers RIGHT_LIKE matching. By checking whether records are
returned, the attacker can brute-force the MD5 password hash and salt value
character by character (512 requests for password, 288 for salt).
The @JsonProperty(access = WRITE_ONLY) annotation on these fields only prevents
JSON serialization, not Spring MVC query parameter binding. |
|---|
| स्रोत | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9648 |
|---|
| उपयोगकर्ता | rusty19 (UID 98380) |
|---|
| सबमिशन | 19/05/2026 03:54 PM (20 दिन पहले) |
|---|
| संयम | 07/06/2026 10:57 AM (19 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 369084 [JeecgBoot तक 3.9.2 User List Endpoint SysUserController.java queryPageList salt सूचना का प्रकटीकरण] |
|---|
| अंक | 20 |
|---|