| tiêu đề | The maku-boot application has any code execution that can trigger any sql execution |
|---|
| Mô tả | The scheduled task function in the maku-boot application has any code execution, and any sql statement execution can be triggered by finding the utilization chain
Impact version:maku-boot v1.3.0-v2.2.0.
Users with "schedule" permissions can execute arbitrary sql statements, even rce.
In addition, any sql statements can be executed, and the maku-boot program supports mysql and postgresql databases. Therefore, the udf may upgrade permissions and execute commands. |
|---|
| Nguồn | ⚠️ https://gitee.com/makunet/maku-boot/issues/I5ZUYI |
|---|
| Người dùng | TGAO (UID 37046) |
|---|
| Đệ trình | 07/12/2022 02:46 (cách đây 4 những năm) |
|---|
| Kiểm duyệt | 07/12/2022 07:47 (5 hours later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 215013 [maku-boot đến 2.2.0 Scheduled Task AbstractScheduleJob.java doExecute nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|