| タイトル | JeecgBoot 3.9.1 Improper Access Controls |
|---|
| 説明 | The PUT /sys/selectDepart endpoint binds a full SysUser entity from the request body and directly persists the client-supplied orgCode and loginTenantId to the database without any server-side validation—no permission annotation,no department membership check, no tenant ownership verification. Any authenticated user, including those with only the default test role, can set these fields to arbitrary values, effectively switching their session context to any department or tenant in the system. When chained with the userEdit self-escalation, an attacker who switches into a target department's context and elevates their userIdentity to 2 with departIds pointed at that department can then query its complete member list via departUserList, gaining visibility into organizational data they have nolegitimate access to. The impact is that the department and tenant boundaries—JeecgBoot's primary data isolation mechanism—can be crossed at will by any logged-in user in two requests, with no administrative privileges required. |
|---|
| ソース | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9597 |
|---|
| ユーザー | AliceS614 (UID 94277) |
|---|
| 送信 | 2026年05月02日 11:40 (1 月 ago) |
|---|
| モデレーション | 2026年05月26日 14:50 (24 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 365636 [JeecgBoot 迄 3.9.1 /sys/selectDepart LoginController.selectDepart 特権昇格] |
|---|
| ポイント | 20 |
|---|