Skip to main content

CVE-2025-45618: n/a in n/a

Medium
VulnerabilityCVE-2025-45618cvecve-2025-45618
Published: Mon May 05 2025 (05/05/2025, 00:00:00 UTC)
Source: CVE
Vendor/Project: n/a
Product: n/a

Description

Incorrect access control in the component /admin/sys/datasource/ajaxList of jeeweb-mybatis-springboot v0.0.1.RELEASE allows attackers to access sensitive information via a crafted payload.

AI-Powered Analysis

AILast updated: 07/06/2025, 19:40:32 UTC

Technical Analysis

CVE-2025-45618 is a medium-severity vulnerability identified in the component /admin/sys/datasource/ajaxList of the jeeweb-mybatis-springboot framework version 0.0.1.RELEASE. The vulnerability stems from incorrect access control (CWE-284), which allows an attacker with some level of privileges (PR:L - privileges required) but no user interaction (UI:N) to access sensitive information by sending a crafted payload over the network (AV:N - network attack vector). The vulnerability does not impact integrity or availability but compromises confidentiality (C:H). The CVSS 3.1 base score is 6.5, reflecting a moderate risk. The flaw allows unauthorized access to sensitive data due to insufficient enforcement of access control policies on the ajaxList endpoint, potentially exposing internal system or application data that should be restricted. Although the affected product and vendor details are not specified, the vulnerability affects a component commonly used in Java Spring Boot applications integrated with MyBatis, which is a popular persistence framework. No patches or known exploits in the wild have been reported as of the publication date (May 5, 2025).

Potential Impact

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive information, which can lead to data breaches, regulatory non-compliance (e.g., GDPR), and reputational damage. Since the vulnerability requires some level of privileges, attackers might exploit it after gaining limited access, such as through compromised credentials or insider threats. The exposure of sensitive data could include configuration details, user information, or internal system data, which could be leveraged for further attacks or espionage. Organizations in sectors with high data sensitivity, such as finance, healthcare, and government, are particularly at risk. The network-based attack vector means that attackers can exploit this remotely, increasing the threat surface. The lack of user interaction requirement facilitates automated exploitation attempts once access is obtained.

Mitigation Recommendations

European organizations should first identify if they use the jeeweb-mybatis-springboot framework, particularly version 0.0.1.RELEASE or any other versions that might be affected. Since no official patches are currently available, organizations should implement strict network segmentation and access controls to limit access to the /admin/sys/datasource/ajaxList endpoint only to trusted and authenticated users with a need-to-know basis. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this endpoint can reduce exploitation risk. Conduct thorough privilege audits to ensure minimal necessary privileges are assigned to users and services interacting with this component. Monitoring and logging access to sensitive endpoints should be enhanced to detect anomalous activities promptly. Organizations should also engage with the vendor or open-source community for updates or patches and plan for timely application once available. Finally, penetration testing and code review focusing on access control mechanisms in the affected component can help identify and remediate similar issues proactively.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
mitre
Date Reserved
2025-04-22T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d981cc4522896dcbdac3c

Added to database: 5/21/2025, 9:08:44 AM

Last enriched: 7/6/2025, 7:40:32 PM

Last updated: 8/12/2025, 5:25:56 PM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats