Miggo Logo
Miggo Vulnerability Database
CVE-2022-45208

CVE-2022-45208: Jeecg-boot vulnerable to SQL injection via /sys/user/putRecycleBin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-45208
GHSA ID
GHSA-25gv-mvm7-5h3h
EPSS Score
0.14861%
CWE
CWE-89
Published
11/25/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jeecgframework.boot:jeecg-boot-commonmaven< 3.4.43.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from unsafe SQL parameter handling in MyBatis XML mappings. The pre-patch versions used dangerous ${userIds} interpolation in SQL IN clauses rather than safe #{} parameterization. The mapper interface methods accepted raw String inputs which were passed to these vulnerable XML mappings. The service layer's String.format() calls created comma-separated quoted values that appeared safe but were still vulnerable due to the underlying ${} interpolation in SQL templates. The commit fixed this by switching to List<String> parameters and using <foreach> with #{} in XML.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J****-*oot v*.*.* w*s *is*ov*r** to *ont*in * SQL inj**tion vuln*r**ility vi* t** *ompon*nt /sys/us*r/putR**y*l**in.

Reasoning

T** vuln*r**ility st*mm** *rom uns*** SQL p*r*m*t*r **n*lin* in My**tis XML m*ppin*s. T** pr*-p*t** v*rsions us** **n**rous `${us*rI*s}` int*rpol*tion in SQL IN *l*us*s r*t**r t**n s*** `#{} `p*r*m*t*riz*tion. T** m*pp*r int*r**** m*t*o*s ****pt** r*