| tiêu đề | JeecgBoot 3.9.1 Improper Access Controls |
|---|
| Mô tả | The GET /airag/airagModel/list and GET /airag/airagModel/queryById endpoints in JeecgBoot v3.9.1 lack any@RequiresPermissions annotation, allowing any authenticated user—including those with only the default test role assigned to every registered account—to retrieve the full configuration of all configured AI models. The AiragModel entity returned by these endpoints contains a credential field that stores complete API keys for third-party AI services such as OpenAI, DeepSeek, and Zhipu in plain JSON format ({"apiKey":"sk-..."}), and this field has no serialization protection—no @JsonIgnore, no @JsonProperty(access = WRITE_ONLY), no response filtering. The impact is that every user in the system, regardless of their privileges, can exfiltrate valid API keys that grant direct access to external paid AI services, enabling attackers to consume the organization's AI service quotas at the victim's expense, access sensitive data processed through those AI pipelines, or resell the stolen credentials. |
|---|
| Nguồn | ⚠️ https://github.com/jeecgboot/JeecgBoot/issues/9599 |
|---|
| Người dùng | AliceS614 (UID 94277) |
|---|
| Đệ trình | 02/05/2026 14:24 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 26/05/2026 18:06 (24 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 365677 [JeecgBoot đến 3.9.1 AiragModelController list/queryById nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|