CVE-2025-0406
Published: 13 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0406 is a SQL injection vulnerability classified as critical in liujianview's gymxmjpa version 1.0. The flaw affects the SubjectDaoImpl function in the file src/main/java/com/liujian/gymxmjpa/controller/SubjectController.java, where manipulation of the subname argument enables SQL code injection. It is remotely exploitable and associated with CWE-74 and CWE-89.
Attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption via injected SQL queries.
Advisories and further details, including the publicly disclosed exploit, are documented in GitHub issues at https://github.com/liujianview/gymxmjpa/issues/5 and https://github.com/liujianview/gymxmjpa/issues/5#issue-2765786069, as well as VulDB entries at https://vuldb.com/?ctiid.291282, https://vuldb.com/?id.291282, and https://vuldb.com/?submit.473417. No specific patches are detailed in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application (gymxmjpa SubjectController) enables exploitation of public-facing apps (T1190), abuse of server software components like databases (T1505), and collection of data from databases (T1213.006).