CVE-2024-40541 is a SQL injection vulnerability identified in the my-springsecurity-plus framework prior to version 2024.07.03. The vulnerability resides in the /api/dept/build API endpoint, specifically through the dataScope parameter, which fails to properly sanitize user input before incorporating it into SQL queries. This improper input validation allows an attacker with local access to inject arbitrary SQL commands, potentially leading to unauthorized disclosure of sensitive data stored in the backend database. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). According to the CVSS v3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), exploitation requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The scope is unchanged (S:U), and the impact is high on confidentiality (C:H) but none on integrity (I:N) or availability (A:N). There are no known exploits in the wild, and no official patches or mitigation links were provided at the time of publication. The vulnerability affects any deployment of my-springsecurity-plus prior to the fixed version, which is commonly used in Java Spring-based enterprise applications for security enhancements. The lack of authentication requirement for exploitation combined with the ability to disclose sensitive data makes this a significant concern for organizations relying on this framework in internal or restricted environments.

The primary impact of CVE-2024-40541 is the potential unauthorized disclosure of sensitive information from backend databases due to SQL injection via the dataScope parameter. Organizations using vulnerable versions of my-springsecurity-plus risk exposure of confidential data, which could include user credentials, internal business data, or other sensitive records. Although the vulnerability does not affect data integrity or system availability, the confidentiality breach could lead to further targeted attacks, compliance violations, and reputational damage. Since exploitation requires local access, the threat is more relevant to insider threats or attackers who have already gained limited access to the network or system. Enterprises with internal applications using this framework should be particularly cautious, as attackers could leverage this vulnerability to escalate data access without needing elevated privileges or user interaction. The absence of known exploits in the wild reduces immediate risk but does not eliminate the potential for future exploitation once details become widely known.

To mitigate CVE-2024-40541, organizations should upgrade my-springsecurity-plus to version 2024.07.03 or later, where the vulnerability has been addressed. In the absence of an official patch, applying input validation and sanitization on the dataScope parameter at the application level can reduce risk. Employ parameterized queries or prepared statements to prevent SQL injection. Restrict local access to the vulnerable systems by enforcing strict network segmentation and access controls, limiting exposure to trusted users only. Monitor logs for unusual database query patterns or access attempts to the /api/dept/build endpoint. Conduct regular security assessments and code reviews focusing on input handling in API endpoints. Additionally, implement least privilege principles to minimize the impact of any local access compromise. Finally, maintain awareness of updates from the my-springsecurity-plus project for official patches or advisories.