Cyber Resilience

CVE-2024-57768

CriticalPublic PoC

Published: 16 January 2025

Published
16 January 2025
Modified
28 May 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0027 50.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57768 is a critical-severity SQL Injection (CWE-89) vulnerability in Jfinaloa Project Jfinaloa. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Owner/User Discovery (T1033); ranked in the top 49.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57768 is a SQL injection vulnerability (CWE-89) in JFinalOA versions prior to v2025.01.01. The flaw exists in the validRoleKey?sysRole.key component, allowing malicious SQL queries to be injected and executed.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no requirement for user interaction. Successful exploitation enables high-impact effects on confidentiality, integrity, and availability, such as unauthorized data access, modification, or deletion through arbitrary SQL execution.

Mitigation details are available in the referenced advisory at https://gitee.com/r1bbit/JFinalOA/issues/IBHUMT. Affected users should upgrade to JFinalOA v2025.01.01 or later to address the issue.

EU & UK References

Vulnerability details

JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component validRoleKey?sysRole.key.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1033 System Owner/User Discovery Discovery
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
T1069 Permission Groups Discovery Discovery
Adversaries may attempt to discover group and permission settings.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1087 Account Discovery Discovery
Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in role validation endpoint enables arbitrary database queries (blind/error-based), facilitating discovery of system owners/users (T1033), permission groups/roles (T1069), system information (T1082), accounts (T1087), and collection from databases (T1213.006).

CVEs Like This One

CVE-2024-57775Same product: Jfinaloa Project Jfinaloa
CVE-2024-57770Same product: Jfinaloa Project Jfinaloa
CVE-2024-57769Same product: Jfinaloa Project Jfinaloa
CVE-2025-30571Shared CWE-89
CVE-2026-29081Shared CWE-89
CVE-2026-48232Shared CWE-89
CVE-2025-30791Shared CWE-89
CVE-2026-32366Shared CWE-89
CVE-2025-23784Shared CWE-89
CVE-2025-22710Shared CWE-89

Affected Assets

jfinaloa project
jfinaloa
≤ 2025-01-01

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user inputs like sysRole.key, directly preventing SQL injection by rejecting or sanitizing malicious SQL payloads before database execution.

prevent

Mandates identification, reporting, and correction of flaws such as CVE-2024-57768 through patching to JFinalOA v2025.01.01 or later.

preventdetect

Vulnerability scanning detects SQL injection issues like this CVE, enabling timely remediation to prevent exploitation.

References