CVE-2025-15123
Unknown Unknown - Not Provided
Improper Authorization in JeecgBoot /sysDepartPermission Remote Access

Publication date: 2025-12-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in JeecgBoot up to 3.9.0. This affects an unknown function of the file /sys/sysDepartPermission/datarule/. Executing manipulation can lead to improper authorization. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-28
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15123
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jeecg jeecgboot 3.9.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15123 is a tenant privilege escalation vulnerability in JeecgBoot up to version 3.9.0. It occurs in the API endpoint GET /sys/sysDepartPermission/datarule/{permissionId}/{departId}, which queries department permission data rules without verifying if the requested department belongs to the logged-in user's tenant. This lack of tenant ownership validation allows an attacker with a valid login session to access data permission rules of other tenants by guessing or enumerating their department and permission IDs. The data exposed includes fine-grained access control policies, field-level filtering conditions, and sensitive business logic, enabling attackers to map the permission system and potentially craft targeted data leakage or access bypass attacks. [1, 3]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of other tenants' data access control policies, exposing sensitive business logic and database schema details. Attackers can fully map the permission system of other tenants, which facilitates further targeted data leakage or access bypass attacks. It compromises data confidentiality and system security by allowing cross-tenant access to sensitive permission configurations. The attack can be launched remotely by an authenticated user and is considered difficult but feasible to exploit. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring and testing the API endpoint GET /sys/sysDepartPermission/datarule/{permissionId}/{departId} for improper authorization. Specifically, you can attempt to send crafted GET requests with permissionId and departId values that belong to other tenants to see if data permission rules are returned without proper tenant validation. Detection involves verifying whether the system validates tenant ownership before returning data. Commands to test this could include using curl or similar HTTP clients to send requests like: curl -i -X GET "https://<target>/sys/sysDepartPermission/datarule/<permissionId>/<departId>" -H "Authorization: Bearer <valid_token>" and checking if data from other tenants is disclosed. Additionally, audit logs should be reviewed for unusual queries to this endpoint. Since the vulnerability requires a valid login session, ensure you have authenticated credentials for testing. No automated detection commands are provided, but manual API testing as described is recommended. [1, 3]

Mitigation Strategies

Immediate mitigation steps include: 1. Validate tenant ownership by checking if the department's tenantId matches the current user's tenantId before processing requests to the vulnerable endpoint. 2. Enforce tenant ID filtering in database queries related to department permissions. 3. Restrict access to data permission rules to authorized roles only, such as department or system administrators, using Role-Based Access Control (RBAC). 4. Apply data desensitization to sensitive information before returning it in responses. 5. Implement audit logging for all data permission rule queries, capturing user identity, timestamps, and query parameters. If patching or vendor fixes are unavailable, consider replacing the affected component or product to prevent exploitation. These steps help prevent unauthorized cross-tenant data access and reduce the risk of data leakage. [1, 3, 2]

Compliance Impact

This vulnerability allows unauthorized cross-tenant access to sensitive permission configurations, including fine-grained data access control policies and business logic. Such unauthorized data disclosure and improper authorization can lead to violations of data confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA. Exposure of sensitive information and failure to enforce proper access controls may result in non-compliance with these regulations, which require strict protection of personal and sensitive data. Therefore, this vulnerability negatively impacts compliance by enabling data leakage and unauthorized access across tenants. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15123. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart