CVE-2023-34659
Published: 16 June 2023
Summary
CVE-2023-34659 is a critical-severity SQL Injection (CWE-89) vulnerability in Jeecg Jeecg Boot. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
jeecg-boot versions 3.5.0 and 3.5.1 contain a SQL injection vulnerability in the id parameter of the /jeecg-boot/jmreport/show interface. The flaw is tracked as CWE-89 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction.
An unauthenticated remote attacker can supply crafted input to the affected endpoint and execute arbitrary SQL commands against the backend database. Successful exploitation grants full read, write, and delete access to database contents, enabling data exfiltration, modification, or service disruption.
The associated GitHub issue references do not contain published patches or mitigation guidance. The EPSS score for this CVE stands at 0.9191 with an identical recorded peak, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1756
Vulnerability details
jeecg-boot 3.5.0 and 3.5.1 have a SQL injection vulnerability the id parameter of the /jeecg-boot/jmreport/show interface.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.