CVE-2022-45210: 
Java vulnerability analysis and mitigation

Jeecg-boot v3.4.3 contains a SQL injection vulnerability in the component /sys/user/deleteRecycleBin. The vulnerability was discovered and disclosed in November 2022, identified as CVE-2022-45210. This security flaw affects the user management functionality of the Jeecg-boot application (NVD, MITRE).

The vulnerability exists in the deleteRecycleBin component of the user management system. The issue stems from insufficient input validation in the SysUserMapper.xml deleteLogicDeleted function, where no precompiling is performed in the SQL query. This allows attackers to inject malicious SQL commands through the userIds parameter (GitHub Issue).

The SQL injection vulnerability allows attackers to execute arbitrary SQL commands on the underlying database. This can lead to unauthorized access to sensitive data stored in the database, potential data manipulation, and possible exposure of user information (NVD).

The recommended mitigation is to implement proper input validation and use parameterized queries or prepared statements instead of direct string concatenation in SQL queries. The issue can be addressed by modifying the query structure to use proper SQL parameter binding (GitHub Issue).