Miggo Logo
Miggo Vulnerability Database
CVE-2022-22881

CVE-2022-22881:
SQL Injection in Jeecg-boot

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-22881
GHSA ID
GHSA-f9pg-g9xw-r5g2
EPSS Score
0.75775%
CWE
CWE-89
Published
2/17/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jeecgframework.boot:jeecg-boot-basemaven<= 3.0
org.jeecgframework.boot:jeecg-boot-base-coremaven<= 3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is explicitly tied to the /sys/user/queryUserComponentData endpoint and the 'code' parameter. In typical Spring Boot architectures, this endpoint would map to a controller method (e.g., SysUserController.queryUserComponentData). SQL injection occurs when user-supplied input (the 'code' parameter) is directly interpolated into SQL queries. The lack of sanitization or use of prepared statements in this function aligns with the described CWE-89 vulnerability. While the exact code is unavailable, the endpoint structure and parameter-specific exploitation vector strongly indicate this controller method as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J****-*oot v*.* w*s *is*ov*r** to *ont*in * SQL inj**tion vuln*r**ility vi* t** *o** p*r*m*t*r in /sys/us*r/qu*ryUs*r*ompon*nt**t*.

Reasoning

T** vuln*r**ility is *xpli*itly ti** to t** /sys/us*r/qu*ryUs*r*ompon*nt**t* *n*point *n* t** '*o**' p*r*m*t*r. In typi**l Sprin* *oot *r**it**tur*s, t*is *n*point woul* m*p to * *ontroll*r m*t*o* (*.*., SysUs*r*ontroll*r.qu*ryUs*r*ompon*nt**t*). SQL