CVE-2024-57768

CriticalPublic PoC

Published: 16 January 2025

Published

16 January 2025

Modified

28 May 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57768 is a critical-severity SQL Injection (CWE-89) vulnerability in Jfinaloa Project Jfinaloa. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Owner/User Discovery (T1033); ranked at the 41.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to System Owner/User Discovery (T1033) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of user inputs like sysRole.key, directly preventing SQL injection by rejecting or sanitizing malicious SQL payloads before database execution.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws such as CVE-2024-57768 through patching to JFinalOA v2025.01.01 or later.

RA-5 Vulnerability Monitoring and Scanning partial match

preventdetect

Vulnerability scanning detects SQL injection issues like this CVE, enabling timely remediation to prevent exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1033 System Owner/User Discovery Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.

attack.mitre.org →

T1069 Permission Groups Discovery Discovery

Adversaries may attempt to discover group and permission settings.

attack.mitre.org →

T1082 System Information Discovery Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

attack.mitre.org →

T1087 Account Discovery Discovery

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in role validation endpoint enables arbitrary database queries (blind/error-based), facilitating discovery of system owners/users (T1033), permission groups/roles (T1069), system information (T1082), accounts (T1087), and collection from databases (T1213.006).

NVD Description

JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.

Deeper analysisAI

CVE-2024-57768 is a SQL injection vulnerability (CWE-89) in JFinalOA versions prior to v2025.01.01. The flaw exists in the validRoleKey?sysRole.key component, allowing malicious SQL queries to be injected and executed.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no requirement for user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion through arbitrary SQL execution.

Mitigation details are available in the referenced advisory at https://gitee.com/r1bbit/JFinalOA/issues/IBHUMT. Affected users should upgrade to JFinalOA v2025.01.01 or later to address the issue.