CVE-2024-57770
Published: 16 January 2025
Summary
CVE-2024-57770 is a high-severity SQL Injection (CWE-89) vulnerability in Jfinaloa Project Jfinaloa. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Databases (T1213.006); ranked in the top 46.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-57770 is a SQL injection vulnerability (CWE-89) affecting JFinalOA versions prior to v2025.01.01. The issue resides in the apply/save#oaContractApply.id component, allowing malicious SQL queries to be injected and executed.
The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low attack complexity, requiring only low privileges, and no user interaction. An authenticated attacker with low-level access can leverage this to achieve high impacts on confidentiality, integrity, and availability, potentially enabling unauthorized data access, modification, or disruption.
Mitigation details are available in the referenced advisory at https://gitee.com/r1bbit/JFinalOA/issues/IBHUP1. Upgrading to JFinalOA v2025.01.01 or later addresses the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53738
Vulnerability details
JFinalOA before v2025.01.01 was discovered to contain a SQL injection vulnerability via the component apply/save#oaContractApply.id.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in authenticated admin endpoint allows arbitrary SQL execution on the backend database, facilitating data collection from databases.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validating information inputs like the oaContractApply.id parameter to prevent malicious SQL injection queries from being executed.
SI-2 ensures timely remediation of flaws such as upgrading JFinalOA to v2025.01.01 to eliminate the SQL injection vulnerability.
RA-5 vulnerability scanning identifies SQL injection flaws in components like apply/save#oaContractApply.id before exploitation.