CVE-2025-45618: n/a in n/a
Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload.
AI Analysis
Technical Summary
CVE-2025-45618 is a medium-severity vulnerability identified in the component /admin/sys/datasource/ajaxList of the jeeweb-mybatis-springboot framework version 0.0.1.RELEASE. The vulnerability stems from incorrect access control (CWE-284), which allows an attacker with some level of privileges (PR:L - privileges required) but no user interaction (UI:N) to access sensitive information by sending a crafted payload over the network (AV:N - network attack vector). The vulnerability does not impact integrity or availability but compromises confidentiality (C:H). The CVSS 3.1 base score is 6.5, reflecting a moderate risk. The flaw allows unauthorized access to sensitive data due to insufficient enforcement of access control policies on the ajaxList endpoint, potentially exposing internal system or application data that should be restricted. Although the affected product and vendor details are not specified, the vulnerability affects a component commonly used in Java Spring Boot applications integrated with MyBatis, which is a popular persistence framework. No patches or known exploits in the wild have been reported as of the publication date (May 5, 2025).
Potential Impact
For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive information, which can lead to data breaches, regulatory non-compliance (e.g., GDPR), and reputational damage. Since the vulnerability requires some level of privileges, attackers might exploit it after gaining limited access, such as through compromised credentials or insider threats. The exposure of sensitive data could include configuration details, user information, or internal system data, which could be leveraged for further attacks or espionage. Organizations in sectors with high data sensitivity, such as finance, healthcare, and government, are particularly at risk. The network-based attack vector means that attackers can exploit this remotely, increasing the threat surface. The lack of user interaction requirement facilitates automated exploitation attempts once access is obtained.
Mitigation Recommendations
European organizations should first identify if they use the jeeweb-mybatis-springboot framework, particularly version 0.0.1.RELEASE or any other versions that might be affected. Since no official patches are currently available, organizations should implement strict network segmentation and access controls to limit access to the /admin/sys/datasource/ajaxList endpoint only to trusted and authenticated users with a need-to-know basis. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this endpoint can reduce exploitation risk. Conduct thorough privilege audits to ensure minimal necessary privileges are assigned to users and services interacting with this component. Monitoring and logging access to sensitive endpoints should be enhanced to detect anomalous activities promptly. Organizations should also engage with the vendor or open-source community for updates or patches and plan for timely application once available. Finally, penetration testing and code review focusing on access control mechanisms in the affected component can help identify and remediate similar issues proactively.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy
CVE-2025-45618: n/a in n/a
Description
Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload.
AI-Powered Analysis
Technical Analysis
CVE-2025-45618 is a medium-severity vulnerability identified in the component /admin/sys/datasource/ajaxList of the jeeweb-mybatis-springboot framework version 0.0.1.RELEASE. The vulnerability stems from incorrect access control (CWE-284), which allows an attacker with some level of privileges (PR:L - privileges required) but no user interaction (UI:N) to access sensitive information by sending a crafted payload over the network (AV:N - network attack vector). The vulnerability does not impact integrity or availability but compromises confidentiality (C:H). The CVSS 3.1 base score is 6.5, reflecting a moderate risk. The flaw allows unauthorized access to sensitive data due to insufficient enforcement of access control policies on the ajaxList endpoint, potentially exposing internal system or application data that should be restricted. Although the affected product and vendor details are not specified, the vulnerability affects a component commonly used in Java Spring Boot applications integrated with MyBatis, which is a popular persistence framework. No patches or known exploits in the wild have been reported as of the publication date (May 5, 2025).
Potential Impact
For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive information, which can lead to data breaches, regulatory non-compliance (e.g., GDPR), and reputational damage. Since the vulnerability requires some level of privileges, attackers might exploit it after gaining limited access, such as through compromised credentials or insider threats. The exposure of sensitive data could include configuration details, user information, or internal system data, which could be leveraged for further attacks or espionage. Organizations in sectors with high data sensitivity, such as finance, healthcare, and government, are particularly at risk. The network-based attack vector means that attackers can exploit this remotely, increasing the threat surface. The lack of user interaction requirement facilitates automated exploitation attempts once access is obtained.
Mitigation Recommendations
European organizations should first identify if they use the jeeweb-mybatis-springboot framework, particularly version 0.0.1.RELEASE or any other versions that might be affected. Since no official patches are currently available, organizations should implement strict network segmentation and access controls to limit access to the /admin/sys/datasource/ajaxList endpoint only to trusted and authenticated users with a need-to-know basis. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this endpoint can reduce exploitation risk. Conduct thorough privilege audits to ensure minimal necessary privileges are assigned to users and services interacting with this component. Monitoring and logging access to sensitive endpoints should be enhanced to detect anomalous activities promptly. Organizations should also engage with the vendor or open-source community for updates or patches and plan for timely application once available. Finally, penetration testing and code review focusing on access control mechanisms in the affected component can help identify and remediate similar issues proactively.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-04-22T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d981cc4522896dcbdac3c
Added to database: 5/21/2025, 9:08:44 AM
Last enriched: 7/6/2025, 7:40:32 PM
Last updated: 8/12/2025, 5:25:56 PM
Views: 11
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.