| Title | jeecgboot 3.9.0 bfla |
|---|
| Description | **JeecgBoot Issue \#9196 Vulnerability Brief**
### **Overview**
This issue reports a critical **Broken Access Control** vulnerability within the JeecgBoot multi-tenant management module (`SysTenantController`). Due to a complete absence of **Authorization Checks** and severe business logic flaws, the **Multi-tenancy Isolation** mechanism is rendered ineffective. This allows any authenticated user to compromise arbitrary tenants via an "Enumeration-Application-Self Approval" exploit chain.
-----
### **Vulnerability Details & Exploit Chain**
The attacker leverages three distinct logical defects to construct a complete **Exploit Chain**:
1. **Information Disclosure via IDOR (Insecure Direct Object Reference)**
* **Defect:** The `GET /sys/tenant/queryById` endpoint lacks access control and allows enumeration via the `id` parameter.
* **Impact:** Attackers can iterate through IDs to retrieve tenant metadata, specifically leaking the `houseNumber` (a secret credential required to join a tenant).
2. **Authentication Bypass & Privilege Escalation**
* **Defect:** The `PUT /sys/tenant/agreeOrRefuseJoinTenant` endpoint fails to verify if the operator is a Tenant Administrator.
* **Logic Flaw:** The system permits the applicant to approve their own join request (**Self-Approval**), effectively bypassing the approval workflow.
3. **Lateral Movement**
* **Defect:** The `POST /sys/tenant/invitationUser` endpoint lacks authorization, allowing unauthorized members to invite external users.
### **Proof of Concept (PoC)**
The reporter demonstrated the attack sequence using standard HTTP requests:
```bash
# 1. Enumerate IDs to retrieve the sensitive 'houseNumber' (IDOR)
curl -X GET "http://server/sys/tenant/queryById?id=1000" \
-H "Authorization: Bearer <AttackerToken>"
# Response leaks: "houseNumber": "2PI3U6"
# 2. Apply to join the tenant using the leaked credential
curl -X POST "http://server/sys/tenant/joinTenantByHouseNumber" \
-H "Content-Type: application/json" \
-d '{"houseNumber": "2PI3U6"}'
# 3. Core Vulnerability: Attacker uses their own Token to approve their own request
curl -X PUT "http://server/sys/tenant/agreeOrRefuseJoinTenant?tenantId=1000&status=1" \
-H "Authorization: Bearer <AttackerToken>"
```
-----
### **Conclusion**
In summary, this vulnerability constitutes a fundamental **Insecure Design** that violates the trust boundary of the SaaS platform. An attacker can gain unauthorized membership to any tenant without administrative intervention, leading to severe data compromise. Immediate remediation requires enforcing strict **RBAC (Role-Based Access Control)** by adding `@RequiresPermissions` annotations and validating the relationship between the **Subject** (current user) and the **Object** (target tenant) in all relevant endpoints. |
|---|
| Source | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9196 |
|---|
| User | Anonymous User |
|---|
| Submission | 12/15/2025 16:24 (6 months ago) |
|---|
| Moderation | 12/18/2025 19:25 (3 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 337432 [JeecgBoot up to 3.9.0 Multi-Tenant Management SysTenantController.java ID improper authentication] |
|---|
| Points | 19 |
|---|