CVE-2024-57775

HighPublic PoC

Published: 16 January 2025

Published

16 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 44.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2024-57775 is a SQL injection vulnerability (CWE-89) affecting JFinalOA versions prior to v2025.01.01. The issue resides in the getWorkFlowHis?insid component, allowing malicious SQL queries to be injected and executed.

The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity and no user interaction required. Exploitation requires low privileges (PR:L), such as an authenticated user account, enabling attackers to achieve high impacts on confidentiality, integrity, and availability, potentially leading to unauthorized data access, modification, or disruption.

Mitigation details are available in the referenced advisory at https://gitee.com/r1bbit/JFinalOA/issues/IBHURT.

Details

CWE(s): CWE-89

Affected Products

jfinaloa project

jfinaloa

≤ 2025-01-01

MITRE ATT&CK Enterprise Techniques

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

The SQL injection vulnerability in the getWorkFlowHis endpoint allows arbitrary SQL queries on the application's database, enabling adversaries to collect data from databases.

References

https://gitee.com/r1bbit/JFinalOA/issues/IBHURT
Exploit, Third Party Advisory · cve@mitre.org