CVE-2025-0409
Published: 13 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-0409 is a critical SQL injection vulnerability in liujianview gymxmjpa version 1.0. The issue resides in the MembertypeDaoImpl function within the file src/main/java/com/liujian/gymxmjpa/controller/MembertypeController.java, where manipulation of the typeName argument enables SQL code injection. Published on 2025-01-13, it carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs 74 and 89.
The vulnerability allows remote exploitation by low-privileged users (PR:L) with low attack complexity and no user interaction. Attackers can manipulate the typeName parameter to inject malicious SQL, potentially achieving limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or service disruption within the affected application's scope.
References for further details include GitHub issues at https://github.com/liujianview/gymxmjpa/issues/9 and https://github.com/liujianview/gymxmjpa/issues/9#issue-2765816110, as well as VulDB entries at https://vuldb.com/?ctiid.291285, https://vuldb.com/?id.291285, and https://vuldb.com/?submit.473425. The exploit has been publicly disclosed and may be used by attackers.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote SQL injection in web application controller (MembertypeController.java) enables exploitation of public-facing application (T1190), abuse of server software component (T1505 per advisory), and arbitrary database queries for data collection (T1213.006).