CVE-2021-37305: 
Java vulnerability analysis and mitigation

An Insecure Permissions issue was discovered in jeecg-boot version 2.4.5 and earlier. The vulnerability allows remote attackers to gain escalated privilege and view sensitive information via the API endpoint: /sys/user/querySysUser?username=admin. This vulnerability was assigned CVE-2021-37305 and was disclosed in February 2023 (NVD, GitHub Issue).

The vulnerability exists in the API endpoint /sys/user/querySysUser which exposes sensitive user information without proper authentication. The issue has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction, and primarily impacts confidentiality (NVD).

The vulnerability allows unauthorized access to sensitive user information including email addresses and phone numbers. Additionally, attackers can enumerate existing usernames in the system through the /sys/user/checkOnlyUser endpoint, potentially facilitating further attacks (GitHub Issue).

Users should upgrade to a version newer than 2.4.5 of jeecg-boot. The vulnerability has been classified under CWE-732 (Incorrect Permission Assignment for Critical Resource), suggesting that proper access controls should be implemented on the affected API endpoints (NVD).