CVE-2024-40540 identifies a SQL injection vulnerability in the my-springsecurity-plus library, specifically affecting versions prior to 2024.07.03. The vulnerability is triggered via the dataScope parameter in the /api/dept REST API endpoint. An attacker with local access to the system can craft malicious input that is improperly sanitized, allowing direct injection of SQL commands into the backend database query. This vulnerability is classified under CWE-89, indicating improper neutralization of special elements used in an SQL command. The attack vector is local (AV:L), requiring no privileges (PR:N) or user interaction (UI:N), and the scope is unchanged (S:U). The impact is primarily on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). The CVSS v3.1 base score is 6.2, indicating a medium severity level. No public exploit code or active exploitation has been reported yet. The vulnerability affects applications using my-springsecurity-plus for security management, particularly those exposing the /api/dept endpoint. The patch was released in version 2024.07.03, which properly sanitizes the dataScope parameter to prevent injection. Organizations relying on this library should prioritize updating to the patched version to prevent potential data leakage through unauthorized SQL queries.

The primary impact of CVE-2024-40540 is unauthorized disclosure of sensitive information stored in the backend database due to SQL injection. Attackers with local access can exploit this flaw to extract confidential data, which may include user credentials, internal organizational data, or other sensitive information. Although the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the confidentiality breach can lead to further attacks such as privilege escalation or lateral movement within the network. Organizations with internal deployments of my-springsecurity-plus are at risk, especially if local access controls are weak or if attackers gain foothold through other means. The medium severity score reflects the limited attack vector (local access required) but high confidentiality impact. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future. Failure to patch could result in data breaches, regulatory penalties, and reputational damage.

1. Immediately upgrade my-springsecurity-plus to version 2024.07.03 or later, where the SQL injection vulnerability in the dataScope parameter is fixed. 2. Implement strict input validation and sanitization on all parameters, especially those used in database queries, to prevent injection attacks. 3. Restrict local access to systems running vulnerable versions by enforcing strong access controls, network segmentation, and least privilege principles. 4. Monitor logs for unusual database query patterns or failed injection attempts targeting the /api/dept endpoint. 5. Conduct regular security code reviews and penetration testing focusing on API endpoints handling user input. 6. Employ Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts, particularly on internal APIs. 7. Educate developers on secure coding practices related to database interactions and parameter handling. 8. Maintain an up-to-date inventory of software components to quickly identify and remediate vulnerable versions.