CVE-2025-15119
Improper Authorization in JeecgBoot /sysDepartRole Remote Access
Publication date: 2025-12-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecg | jeecgboot | 3.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in JeecgBoot up to version 3.9.0, specifically in the function queryPageList of the file /sys/sysDepartRole/list. It involves improper authorization due to manipulation of the deptId argument, allowing an attacker to potentially bypass access controls. The attack can be executed remotely but requires a high level of complexity and is considered difficult to exploit. The exploit is publicly available.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to certain data or functions within JeecgBoot by manipulating the deptId parameter. Although the impact is limited to partial confidentiality (as indicated by low CVSS scores), it could allow an attacker with some privileges to access information they should not have access to, potentially compromising sensitive organizational data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes cross-tenant information disclosure by allowing authenticated users to access department role data of other tenants without proper authorization. This unauthorized data leakage violates multi-tenant data isolation principles and poses significant compliance risks, including potential breaches of regulations like GDPR due to exposure of sensitive organizational and permission system information. [2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable endpoint with different deptId values to see if cross-tenant data is accessible. For example, an authenticated user can send GET requests to the endpoint `/sys/sysDepartRole/list` with various deptId parameters to check if unauthorized department role data is returned. A sample command to test this is: curl -X GET -H "Authorization: Bearer <valid_token>" "http://<host>/jeecgboot/sys/sysDepartRole/list?deptId=<other_tenant_dept_id>&pageNo=1&pageSize=10". If the response returns data for departments not belonging to the authenticated user's tenant, the vulnerability is present. Monitoring audit logs for unexpected cross-tenant access attempts can also help detect exploitation. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include implementing server-side tenant ownership validation by verifying that the deptId belongs to the authenticated user's tenant before returning data. This can be done by fetching the department entity and checking its tenantId against the current user's tenantId, returning an error if they do not match. Additionally, enforce tenant filtering in the query wrapper by adding tenant ID conditions to ensure queries only return data for the current tenant. Using the MyBatis-Plus multi-tenancy plugin to enforce tenant isolation at the database query level is recommended. Finally, enable audit logging to monitor and detect any cross-tenant access attempts. If these fixes cannot be applied immediately, consider replacing the affected component with an alternative product. [1, 2, 3]