CVE-2024-43028
Jeecg · Jeecg Boot
Jeecg Boot versions v3.0.0 through v3.5.3 contain a command injection vulnerability in the /jmreport/show component, allowing arbitrary code execution via crafted HTTP requests.
Executive summary
A critical command injection vulnerability in Jeecg Boot allows remote attackers to execute arbitrary system commands via the /jmreport/show component.
Vulnerability
This is a command injection vulnerability located in the /jmreport/show component. An attacker can exploit this by sending a crafted HTTP request that injects system-level commands, leading to remote code execution.
Business impact
Command injection is a high-risk vulnerability allowing attackers to execute commands with the privileges of the application process. Given the 9.8 CVSS score, this can lead to full system compromise, data exfiltration, and potential disruption of business-critical services hosted on the platform.
Remediation
Immediate Action: Update Jeecg Boot to the latest available version to patch the command injection vulnerability.
Proactive Monitoring: Review web access logs for anomalous characters or system commands in request parameters directed at the /jmreport/show endpoint.
Compensating Controls: Use a WAF to filter and block requests containing shell metacharacters or unauthorized command syntax targeting the application.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Immediate remediation is required for all instances of Jeecg Boot within the specified version range. Administrators should verify the current version and apply the vendor-supplied update to mitigate the risk of remote code execution and system exploitation.