CVE-2023-3163: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in y_project RuoYi versions up to 4.7.7, identified as CVE-2023-3163. The vulnerability affects the filterKeyword function and involves improper parameter validation in the SQL order by clause, which can lead to resource consumption attacks. The issue was disclosed on June 8, 2023 (NVD).

The vulnerability stems from insufficient validation of the order by clause parameters in SQL queries. While the system implements regex-based filtering to prevent SQL injection through the SQL_PATTERN parameter, it fails to limit the number of fields in multiple-field sorting operations. The CVSS v3.1 base score is 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause significant resource consumption on the server. On systems with limited resources (such as 2 core/2GB servers), the attack can lead to complete system crashes. Even on more robust systems (4 core/8GB), it can cause high CPU usage, service slowdown, and memory consumption of around 1000MB. The attack requires very few requests to be effective (Gitee Issue).

The vulnerability has been patched by implementing length restrictions on the orderBy parameter. Users are advised to update to the latest version of the repository. For those unable to update immediately, it is recommended to implement request size limitations at the HTTP level or add custom length restrictions to the order by parameters (Gitee Issue).