CVE-2024-40542 is a SQL injection vulnerability identified in the my-springsecurity-plus library prior to version 2024.07.03. The vulnerability arises from improper sanitization of the dataScope parameter in the /api/role?offset API endpoint. An attacker with authenticated access and low privileges can inject malicious SQL code through this parameter, potentially manipulating backend database queries. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The CVSS v3.1 base score is 6.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. This means the attack can be performed remotely over the network with low attack complexity, requires low privileges, and no user interaction. Successful exploitation can lead to partial loss of confidentiality, integrity, and availability of the affected system's data. No public exploits or active exploitation campaigns have been reported yet. The vulnerability affects applications that integrate my-springsecurity-plus for role management and security enforcement, typically in Java Spring-based environments. Since the patch or fixed version is 2024.07.03, users running earlier versions should update promptly to remediate this issue.

The SQL injection vulnerability allows an authenticated attacker with low privileges to execute arbitrary SQL commands on the backend database. This can lead to unauthorized access to sensitive data, modification or deletion of records, and potential disruption of application availability. Organizations relying on my-springsecurity-plus for role and access management may face data breaches or integrity violations, undermining trust and compliance with data protection regulations. The impact is particularly significant for enterprises managing sensitive user or business data. Although no known exploits are currently active, the vulnerability's ease of exploitation and network accessibility make it a credible threat. If exploited, attackers could escalate privileges, extract confidential information, or disrupt critical services, affecting business operations and reputation.

Organizations should immediately upgrade my-springsecurity-plus to version 2024.07.03 or later, where the vulnerability is patched. If immediate upgrading is not feasible, implement strict input validation and sanitization on the dataScope parameter to prevent injection of malicious SQL code. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious SQL injection attempts targeting the /api/role?offset endpoint. Limit the privileges of accounts accessing this API to the minimum necessary to reduce potential damage from exploitation. Conduct thorough code reviews and security testing focusing on input handling in all API endpoints. Monitor logs for unusual database query patterns or failed injection attempts. Additionally, consider employing database-level protections such as parameterized queries or stored procedures to mitigate injection risks. Regularly audit and update dependencies to ensure timely application of security patches.