CVE-2022-47105: 
Java vulnerability analysis and mitigation

Jeecg-boot v3.4.4 contains a SQL injection vulnerability in the component /sys/dict/queryTableData. The vulnerability was discovered and disclosed on December 10, 2022 (GitHub Issue). The affected software is Jeecg-boot version 3.4.4 with vue2 frontend version.

The vulnerability exists due to multiple SQL injection detection bypass methods in the codebase. The SqlInjectionUtil class contains a SQL comment regex pattern that fails to match '%0A', allowing bypass using '/%0A/'. Additionally, the AbstractQueryBlackListHandler class contains blacklist rules that can be bypassed using variations like 'sysuser', '(sysuser)', or 'sys_user%20'. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows remote attackers to execute arbitrary SQL queries against the database. This can lead to unauthorized access to sensitive data, including user credentials, and potential manipulation or deletion of database contents. Multiple injection points have been identified in various system endpoints.

As of the vulnerability disclosure, no official patch has been explicitly mentioned. Organizations running affected versions should consider upgrading to a newer version if available or implementing additional security controls at the application layer to prevent SQL injection attempts.