CVE-2023-4450
Published: 21 August 2023
Summary
CVE-2023-4450 is a medium-severity Injection (CWE-74) vulnerability in Jeecg Jimureport. Its CVSS base score is 6.3 (Medium).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A vulnerability identified as CVE-2023-4450 affects the Template Handler component in jeecgboot JimuReport versions up to 1.6.0. The issue stems from improper handling of input that permits injection attacks, classified under CWE-74, and carries a CVSS v3.1 score of 6.3 reflecting network-accessible exploitation with low attack complexity and low-privileged authentication requirements.
An attacker with low-privileged remote access can manipulate template-related functionality to perform injection, resulting in limited impacts to confidentiality, integrity, and availability. Publicly disclosed proof-of-concept material demonstrates the attack vector, enabling potential unauthorized code or command execution within the affected reporting component.
Advisories recommend upgrading JimuReport to version 1.6.1 to resolve the vulnerability, with associated references pointing to detailed technical descriptions on VulDB and a public GitHub repository containing exploit details.
The EPSS score has reached a peak of 0.9150 with a current value of 0.9105, indicating sustained exploitation interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54310
Vulnerability details
A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely.…
more
The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.1 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-237571.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.