CVE-2025-0407
Published: 13 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0407 is a SQL injection vulnerability affecting liujianview gymxmjpa version 1.0. The issue impacts the EquipmentDaoImpl function in the file src/main/java/com/liujian/gymxmjpa/controller/EquipmentController.java, where manipulation of the hyname argument enables the injection. Declared as critical and associated with CWEs-74 and CWE-89, it was published on 2025-01-13.
The vulnerability allows remote exploitation (AV:N) by attackers with low privileges (PR:L), with low attack complexity (AC:L) and no user interaction required (UI:N). Exploitation yields low impacts on confidentiality, integrity, and availability (C:L/I:L/A:L), as reflected in its CVSS v3.1 base score of 6.3 (S:U).
Advisories referenced in GitHub issues (https://github.com/liujianview/gymxmjpa/issues/7 and https://github.com/liujianview/gymxmjpa/issues/7#issue-2765800789) and VulDB entries (https://vuldb.com/?ctiid.291283, https://vuldb.com/?id.291283, https://vuldb.com/?submit.473422) detail the flaw. The exploit has been publicly disclosed and may be used.
The vulnerability carries notable context as a publicly available exploit in an open-source gym management project, increasing the risk of targeted attacks on deployed instances.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in public-facing web application EquipmentController enables exploitation of public-facing apps (T1190), server software component abuse (T1505 as cited in advisory), and data collection from databases via arbitrary queries (T1213.006).