From c65647693954aff433d29c154f919dfd392a8bb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=95=E6=B3=8A=E4=BC=B8?= Date: Thu, 27 Apr 2023 07:40:19 +0000 Subject: [PATCH 1/2] CVE-2023-1454 CVE-2023-1454 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 吕泊伸 --- cve/jeecg/2023/CVE-2023-1454/README.md | 23 +++++++++++++++++++++++ cve/jeecg/2023/yaml/CVE-2023-1454.yaml | 20 ++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 cve/jeecg/2023/CVE-2023-1454/README.md create mode 100644 cve/jeecg/2023/yaml/CVE-2023-1454.yaml diff --git a/cve/jeecg/2023/CVE-2023-1454/README.md b/cve/jeecg/2023/CVE-2023-1454/README.md new file mode 100644 index 00000000..7b0d7d77 --- /dev/null +++ b/cve/jeecg/2023/CVE-2023-1454/README.md @@ -0,0 +1,23 @@ +# CVE-2023-1454 + +## jeecg-boot unauthorized SQL Injection Vulnerability (CVE-2023-1454) + +| **Vulnerability** | **jeecg-boot unauthorized SQL Injection Vulnerability (CVE-2023-1454)** | +| :----: | :-----| +| **Chinese name** | jeecg-boot 未授权SQL注入漏洞(CVE-2023-1454 | +| **CVSS core** | 9.8 | +| **FOFA Query** (click to view the results directly)| [title=="JeecgBoot 企业级低代码平台"](https://fofa.info/result?qbase64=dGl0bGU9PSJKZWVjZ0Jvb3Qg5LyB5Lia57qn5L2O5Luj56CB5bmz5Y%2BwIg%3D%3Da) | +| **Number of assets affected** | 3957 | +| **Description** | JeecgBoot is a low -code development platform based on code generator. Java Low Code Platform for Enterprise web applications jeecg-boot(v3.5.0) latest unauthorized sql injection. | +| **Impact** | In addition to using SQL injection vulnerabilities to obtain information in the database (for example, the administrator's back-end password, the user's personal information of the site), an attacker can write a Trojan horse to the server even in a high-privileged situation to further obtain server system permissions. | + +![](https://s3.bmp.ovh/imgs/2023/03/24/3886eecddee5f04a.gif) + +**[Goby Official URL: https://gobies.org/](https://gobies.org/)** + +If you have a functional type of issue, you can raise an issue on GitHub or in the discussion group below: + +1. GitHub issue: https://github.com/gobysec/Goby/issues +2. Telegram Group: http://t.me/gobies (Group benefits: enjoy the version update 1 month in advance) +3. Telegram Channel: https://t.me/joinchat/ENkApMqOonRhZjFl (Channel benefits: enjoy the version update 1 month in advance) +4. WeChat Group: First add my personal WeChat: **gobyteam**, I will add everyone to the official WeChat group of Goby. (Group benefits: enjoy the version update 1 month in advance) diff --git a/cve/jeecg/2023/yaml/CVE-2023-1454.yaml b/cve/jeecg/2023/yaml/CVE-2023-1454.yaml new file mode 100644 index 00000000..5198f0ca --- /dev/null +++ b/cve/jeecg/2023/yaml/CVE-2023-1454.yaml @@ -0,0 +1,20 @@ +id: CVE-2023-1454 +source: https://github.com/PenTestical/CVE-2020-9484 +info: + name: jeecg SQL注入漏洞 + severity: critical + description: + jeecg是一个应用软件。一款基于代码生成器的智能开发平台。jeecg-boot 3.5.0版本存在SQL注入漏洞,该漏洞源于文件 jmreport/qurestSql 存在安全问题, 通过参数 apiSelectId 导致SQL注入。 + scope-of-influence: + jeecg-boot 3.5.0版本 + reference: + - https://vuldb.com/?ctiid.223299 + - https://vuldb.com/?id.223299 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-1454 + cwe-id: None + cnvd-id: CNNVD-202303-1399 + kve-id: None + tags: cve2023, jeecg \ No newline at end of file -- Gitee From b7986d06aff2449d594b8f5e25be903da621895d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=95=E6=B3=8A=E4=BC=B8?= Date: Thu, 27 Apr 2023 07:41:46 +0000 Subject: [PATCH 2/2] update openkylin_list.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 吕泊伸 --- openkylin_list.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 9fdf2623..9347bd94 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -138,6 +138,8 @@ cve: vmware: - CVE-2021-21975 - CVE-2022-31705 + jeecg: + - CVE-2023-1454 openssl: - CVE-2022-1292 - CVE-2022-2274 -- Gitee