CVE-2025-14908
Improper Authentication in JeecgBoot Multi-Tenant Module
Publication date: 2025-12-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecg | jeecgboot | 3.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14908 is a critical improper authentication and broken access control vulnerability in JeecgBoot versions up to 3.9.0, specifically in the Multi-Tenant Management Module's SysTenantController.java. The flaw allows any authenticated user to bypass tenant isolation controls by manipulating the argument 'id' and exploiting missing authorization checks. Attackers can enumerate tenant IDs, retrieve sensitive tenant credentials (houseNumber), submit join requests to any tenant, approve their own join requests without administrator consent, and invite arbitrary users to tenants without permission. This breaks the multi-tenancy isolation, enabling unauthorized access, privilege escalation, and data compromise across tenants. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can severely impact you by allowing attackers to bypass tenant isolation and gain unauthorized access to tenant data and resources. Attackers can enumerate tenant IDs and sensitive credentials, join any tenant without approval, escalate privileges by self-approving join requests, and invite unauthorized users to tenants. This leads to data leakage of sensitive information such as customer, order, and financial data, unauthorized modification of organizational structures, and potential compromise of the entire multi-tenant environment's confidentiality, integrity, and availability. [1, 2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability violates data protection regulations such as GDPR by enabling unauthorized access and exposure of sensitive tenant data, including personal and financial information. The failure of tenant isolation and improper access controls can lead to data breaches, risking legal penalties, reputational damage, and non-compliance with privacy and security standards required by regulations like GDPR and HIPAA. [3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing the vulnerable endpoints in the JeecgBoot Multi-Tenant Management Module. Specifically, you can check for unauthorized access or manipulation of the following endpoints: 1. GET /sys/tenant/queryById - test if tenant IDs can be enumerated and if sensitive data like 'houseNumber' is exposed without authorization. 2. PUT /sys/tenant/agreeOrRefuseJoinTenant - test if join requests can be self-approved without proper permissions. 3. POST /sys/tenant/invitationUser - test if unauthorized user invitations are possible. Commands to detect exploitation attempts could include: - Using curl or similar tools to enumerate tenant IDs and retrieve tenant data, e.g.: `curl -X GET "http://<target>/sys/tenant/queryById?id=<tenantId>" -H "Authorization: Bearer <token>"` iterating over tenantId values. - Attempting to approve a join request with your own token via: `curl -X PUT "http://<target>/sys/tenant/agreeOrRefuseJoinTenant" -H "Authorization: Bearer <token>" -d '{"id":<joinRequestId>, "status":1}'` - Attempting to invite users without proper permissions: `curl -X POST "http://<target>/sys/tenant/invitationUser" -H "Authorization: Bearer <token>" -d '{"phone":"1234567890", "deptId":<deptId>}'` Additionally, monitoring logs for unusual tenant join approvals, tenant ID enumeration patterns, or unauthorized invitations can help detect exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Apply the official patch that disables the vulnerable APIs by commenting out the joinTenantByHouseNumber and agreeOrRefuseJoinTenant endpoints, preventing unauthorized tenant joining and approval. 2. Enforce strict Role-Based Access Control (RBAC) by adding permission annotations such as @RequiresPermissions on all tenant management endpoints to ensure only authorized tenant administrators can approve join requests or invite users. 3. Restrict access to the GET /sys/tenant/queryById endpoint by implementing permission checks, IP whitelisting, or rate limiting to prevent tenant ID enumeration and sensitive data leakage. 4. Manually audit recent tenant join requests and tenant membership lists for anomalies or unauthorized entries. 5. Monitor logs for suspicious activities related to tenant operations. 6. Notify users and administrators to upgrade to the patched version as soon as possible. These steps help prevent exploitation while a comprehensive fix and security audit are performed. [2, 3, 4]