Cyber Posture

CVE-2024-57606

HighPublic PoC

Published: 07 February 2025

Published
07 February 2025
Modified
29 September 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0034 56.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2024-57606 is a SQL injection vulnerability (CWE-89) affecting Beijing Guoju Information Technology Co., Ltd's JeecgBoot version 3.7.2. The flaw resides in the getTotalData component, which a remote attacker can exploit to obtain sensitive information from the underlying database.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity, requiring no privileges, user interaction, or scope changes. An unauthenticated remote attacker can inject malicious SQL payloads into the getTotalData component to extract sensitive data, such as database contents, without impacting integrity or availability.

Mitigation details are available in the project's GitHub issue at https://github.com/jeecgboot/JeecgBoot/issues/7665, which serves as the primary advisory reference for this CVE.

Details

CWE(s)
CWE-89

Affected Products

guojusoft
jeecgboot
3.7.2

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

SQL injection in public-facing web application (JeecgBoot) enables exploitation (T1190) for unauthorized access to databases to collect sensitive information such as user credentials (T1213.006).

References