CVE-2024-57606
Published: 07 February 2025
Summary
CVE-2024-57606 is a high-severity SQL Injection (CWE-89) vulnerability in Guojusoft Jeecgboot. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57606 is a SQL injection vulnerability (CWE-89) affecting Beijing Guoju Information Technology Co., Ltd's JeecgBoot version 3.7.2. The flaw resides in the getTotalData component, which a remote attacker can exploit to obtain sensitive information from the underlying database.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating it is exploitable over the network with low complexity, requiring no privileges, user interaction, or scope changes. An unauthenticated remote attacker can inject malicious SQL payloads into the getTotalData component to extract sensitive data, such as database contents, without impacting integrity or availability.
Mitigation details are available in the project's GitHub issue at https://github.com/jeecgboot/JeecgBoot/issues/7665, which serves as the primary advisory reference for this CVE.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53643
Vulnerability details
SQL injection vulnerability in Beijing Guoju Information Technology Co., Ltd JeecgBoot v.3.7.2 allows a remote attacker to obtain sensitive information via the getTotalData component.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web application (JeecgBoot) enables exploitation (T1190) for unauthorized access to databases to collect sensitive information such as user credentials (T1213.006).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection attacks like CVE-2024-57606 by validating and sanitizing inputs to the vulnerable getTotalData component.
Remediates the specific SQL injection flaw in JeecgBoot v3.7.2 through timely patching or code fixes as referenced in the advisory.
Boundary protection with web application firewalls inspects and blocks malicious SQL payloads targeting the unauthenticated remote endpoint.