CVE-2024-43028

Jeecg · Jeecg Boot

Jeecg Boot versions v3.0.0 through v3.5.3 contain a command injection vulnerability in the /jmreport/show component, allowing arbitrary code execution via crafted HTTP requests.

Executive summary

A critical command injection vulnerability in Jeecg Boot allows remote attackers to execute arbitrary system commands via the /jmreport/show component.

Vulnerability

This is a command injection vulnerability located in the /jmreport/show component. An attacker can exploit this by sending a crafted HTTP request that injects system-level commands, leading to remote code execution.

Business impact

Command injection is a high-risk vulnerability allowing attackers to execute commands with the privileges of the application process. Given the 9.8 CVSS score, this can lead to full system compromise, data exfiltration, and potential disruption of business-critical services hosted on the platform.

Remediation

Immediate Action: Update Jeecg Boot to the latest available version to patch the command injection vulnerability.

Proactive Monitoring: Review web access logs for anomalous characters or system commands in request parameters directed at the /jmreport/show endpoint.

Compensating Controls: Use a WAF to filter and block requests containing shell metacharacters or unauthorized command syntax targeting the application.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Immediate remediation is required for all instances of Jeecg Boot within the specified version range. Administrators should verify the current version and apply the vendor-supplied update to mitigate the risk of remote code execution and system exploitation.