Miggo Logo
Miggo Vulnerability Database
CVE-2023-34602

CVE-2023-34602: JeecgBoot vulnerable to SQL injection in queryTableDictItemsByCode

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-34602
GHSA ID
GHSA-784x-7w88-w564
EPSS Score
0.57034%
CWE
CWE-89
Published
6/19/2023
Updated
11/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jeecgframework.boot:jeecg-boot-parentmaven< 3.5.13.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The core vulnerability stems from two key points: 1) The AbstractQueryBlackListHandler's isPass method lacked proper input validation (specifically for hyphens in table/field names) prior to the patch, as shown by the added regex pattern in the fix. 2) The queryTableDictItemsByCode controller method serves as the entry point that accepts external parameters and interacts with the vulnerable validation logic. The patch adds critical validation checks in AbstractQueryBlackListHandler, confirming these were the missing security controls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*****oot up to v *.*.* w*s *is*ov*r** to *ont*in * SQL inj**tion vuln*r**ility vi* t** *ompon*nt `qu*ryT**l**i*tIt*ms*y*o**` in m*t*o* `or*.j****.mo*ul*s.*pi.*ontroll*r.Syst*m*pi*ontroll*r`.

Reasoning

T** *or* vuln*r**ility st*ms *rom two k*y points: *) T** `**str**tQu*ry*l**kList**n*l*r`'s `isP*ss` m*t*o* l**k** prop*r input v*li**tion (sp**i*i**lly *or *yp**ns in t**l*/*i*l* n*m*s) prior to t** p*t**, *s s*own *y t** ***** r***x p*tt*rn in t** *