Cyber Resilience

CVE-2023-4450

Medium

Published: 21 August 2023

Published
21 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.9105 99.7th percentile
Risk Priority 67 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4450 is a medium-severity Injection (CWE-74) vulnerability in Jeecg Jimureport. Its CVSS base score is 6.3 (Medium).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A vulnerability identified as CVE-2023-4450 affects the Template Handler component in jeecgboot JimuReport versions up to 1.6.0. The issue stems from improper handling of input that permits injection attacks, classified under CWE-74, and carries a CVSS v3.1 score of 6.3 reflecting network-accessible exploitation with low attack complexity and low-privileged authentication requirements.

An attacker with low-privileged remote access can manipulate template-related functionality to perform injection, resulting in limited impacts to confidentiality, integrity, and availability. Publicly disclosed proof-of-concept material demonstrates the attack vector, enabling potential unauthorized code or command execution within the affected reporting component.

Advisories recommend upgrading JimuReport to version 1.6.1 to resolve the vulnerability, with associated references pointing to detailed technical descriptions on VulDB and a public GitHub repository containing exploit details.

The EPSS score has reached a peak of 0.9150 with a current value of 0.9105, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely.…

more

The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.1 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-237571.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jeecg
jimureport
≤ 1.6.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References