CVE-2024-40539 identifies a SQL injection vulnerability in the my-springsecurity-plus framework before version 2024.07.03. The vulnerability arises from improper sanitization of the dataScope parameter in the /api/user REST API endpoint. An attacker with local access can craft malicious input to manipulate the underlying SQL queries executed by the application, leading to unauthorized disclosure of sensitive information stored in the database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). According to the CVSS 3.1 vector, the attack requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:H) with no effect on integrity or availability. No known exploits have been reported in the wild, indicating this is a newly disclosed vulnerability. The lack of authentication requirement means any local user or process with access to the vulnerable endpoint could exploit this flaw. The vulnerability affects all versions prior to 2024.07.03, though specific version numbers are not detailed. The absence of patch links suggests that the fixed version is 2024.07.03 or later. This vulnerability is significant for organizations using my-springsecurity-plus in their Java Spring applications, especially those exposing the /api/user endpoint internally or to trusted networks.

The primary impact of CVE-2024-40539 is unauthorized disclosure of sensitive data due to SQL injection via the dataScope parameter. Attackers with local access can exploit this flaw to extract confidential information from the database, potentially including user credentials, personal data, or business-critical information. Although the vulnerability does not allow modification or deletion of data, the breach of confidentiality can lead to further attacks such as privilege escalation or lateral movement within the network. Organizations relying on my-springsecurity-plus in internal applications or microservices are at risk, especially if local access controls are weak or if the vulnerable endpoint is exposed to untrusted users or processes. The medium severity rating reflects the limited attack vector (local access only) and the absence of known active exploits, but the potential for data leakage remains a significant concern. Failure to address this vulnerability could result in compliance violations, reputational damage, and loss of customer trust.

To mitigate CVE-2024-40539, organizations should immediately upgrade my-springsecurity-plus to version 2024.07.03 or later, where the SQL injection flaw has been fixed. In the absence of an immediate upgrade, applying input validation and sanitization on the dataScope parameter at the application level can reduce risk. Implement strict local access controls to limit which users and processes can reach the /api/user endpoint, including network segmentation and role-based access controls. Conduct thorough code reviews and penetration testing focused on SQL injection vectors in all API endpoints. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious SQL injection payloads targeting the dataScope parameter. Monitor logs for unusual database query patterns or errors indicative of injection attempts. Finally, educate developers on secure coding practices to prevent similar vulnerabilities in future releases.