CVE-2024-57768

CriticalPublic PoC

Published: 16 January 2025

Published

16 January 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2024-57768 is a SQL injection vulnerability (CWE-89) in JFinalOA versions prior to v2025.01.01. The flaw exists in the validRoleKey?sysRole.key component, allowing malicious SQL queries to be injected and executed.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no requirement for user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion through arbitrary SQL execution.

Mitigation details are available in the referenced advisory at https://gitee.com/r1bbit/JFinalOA/issues/IBHUMT. Affected users should upgrade to JFinalOA v2025.01.01 or later to address the issue.

Details

CWE(s): CWE-89

Affected Products

jfinaloa project

jfinaloa

≤ 2025-01-01

MITRE ATT&CK Enterprise Techniques

T1033 System Owner/User Discovery Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.

attack.mitre.org →

T1069 Permission Groups Discovery Discovery

Adversaries may attempt to discover group and permission settings.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

T1087 Account Discovery Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in role validation endpoint enables arbitrary database queries (blind/error-based), facilitating discovery of system owners/users (T1033), permission groups/roles (T1069), system information (T1082), accounts (T1087), and collection from databases (T1213.006).

References

https://gitee.com/r1bbit/JFinalOA/issues/IBHUMT
Broken Link, Exploit, Third Party Advisory · cve@mitre.org