Executive Summary

CVE-2025-15124 is a vulnerability in JeecgBoot versions up to 3.9.0 affecting the GET endpoint /sys/sysDepartPermission/list. The issue arises because the function getParameterMap does not properly validate the departId parameter, allowing an attacker with a valid login session to specify arbitrary departId values from other tenants. This leads to improper authorization and unauthorized access to department permission configurations of other tenants. The vulnerability is due to missing server-side tenant ownership validation, enabling cross-tenant data disclosure remotely. A proof-of-concept exploit is publicly available, although exploiting it is considered difficult. [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive department permission data across tenants, exposing organizational structures, permission IDs, data rule IDs, and metadata. Attackers can gain insights into business functions and system architecture, which can facilitate targeted privilege escalation attacks within the JeecgBoot system. Essentially, it compromises confidentiality and can enable attackers to bypass tenant isolation controls, potentially leading to further security breaches. [1, 2, 3]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring and testing the GET endpoint `/sys/sysDepartPermission/list` for improper authorization issues. Specifically, you can attempt to send GET requests with different `departId` parameters to check if cross-tenant data is accessible without proper validation. A sample command to test this is: curl -X GET -H "Authorization: Bearer <valid_token>" "http://<host>/jeecgboot/sys/sysDepartPermission/list?departId=<target_depart_id>&pageNo=1&pageSize=10" If the response returns department permission data for a `departId` that does not belong to the authenticated tenant, it indicates the presence of the vulnerability. Additionally, audit logs should be reviewed for unusual or unauthorized access attempts to this endpoint with varying `departId` values. [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing server-side tenant ownership validation to ensure that the `departId` parameter belongs to the authenticated user's tenant before processing the request. This can be done by verifying the department's tenant ID against the current user's tenant ID and returning an error if they do not match. Additionally, enforce tenant ID filtering in database queries, for example by adding a condition like `queryWrapper.eq("tenant_id", TenantContext.getTenant())`. Using a multi-tenancy plugin such as MyBatis-Plus to enforce tenant isolation at the SQL level is recommended. Restrict query parameters to a whitelist to prevent arbitrary cross-tenant queries and enable audit logging for all department permission queries to detect unauthorized access attempts. If possible, consider replacing the affected component with an alternative product as no patches or vendor responses are available. [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability leads to unauthorized disclosure of sensitive permission data across tenants due to improper authorization and lack of tenant ownership validation. Such unauthorized access and data leakage can result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict access controls and protection of personal and organizational data. The exposure of organizational structures and permission configurations increases the risk of privacy violations and potential misuse of sensitive information, thereby negatively impacting compliance with these standards. [1, 2, 3]

Useful 0 Not Useful 0