CVE-2025-15122
Improper Authorization in JeecgBoot loadDatarule Function
Publication date: 2025-12-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jeecg | jeecgboot | 3.9.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in JeecgBoot up to version 3.9.0, specifically in the loadDatarule function of the /sys/sysDepartRole/datarule/ file. It involves improper authorization caused by manipulation of the departId or roleId arguments. An attacker can exploit this remotely, although the attack is considered to have high complexity and difficult exploitability.
How can this vulnerability impact me? :
The vulnerability allows an attacker to bypass proper authorization controls by manipulating certain parameters, potentially gaining unauthorized access to data or functions within the system. Since the exploit is public, there is a risk of remote attacks, but the complexity and difficulty of exploitation reduce the likelihood of widespread impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized cross-tenant access to sensitive data permission rules and organizational structure information, it could potentially lead to violations of data protection and privacy regulations by exposing sensitive information without proper authorization. This unauthorized data disclosure could undermine compliance with standards that require strict access controls and data confidentiality. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing API requests to the endpoint `GET /sys/sysDepartRole/datarule/{permissionId}/{departId}/{roleId}` for unauthorized or suspicious access patterns. Specifically, look for requests where the `departId` and `roleId` parameters do not belong to the tenant of the authenticated user, indicating possible cross-tenant data access attempts. Commands to detect such activity could include capturing HTTP traffic with tools like curl or using network monitoring tools to log and inspect requests. For example, you can use curl to test the endpoint with various IDs to see if unauthorized data is returned: `curl -i -H 'Authorization: Bearer <token>' 'https://<target>/sys/sysDepartRole/datarule/<permissionId>/<departId>/<roleId>'`. Additionally, implement audit logging on the server side to record all queries to this API and review logs for unauthorized access attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1) Implement tenant ownership validation by verifying that the `departId` belongs to the current user's tenant before processing the request. 2) Validate that the `roleId` corresponds to the specified `departId`. 3) Enforce tenant ID filtering in all queries related to data permission rules to prevent cross-tenant data disclosure. 4) Restrict access to the vulnerable API endpoint to only department administrators or system administrators. 5) Enable audit logging for all data permission rule queries to monitor and detect unauthorized access attempts. If possible, update or patch the affected software version or consider replacing the product if no patch is available. [1, 2]