CVE-2023-41544: 
Java vulnerability analysis and mitigation

SSTI (Server-Side Template Injection) vulnerability identified in jeecg-boot version 3.5.3 and earlier versions. The vulnerability allows remote attackers to execute arbitrary code through crafted HTTP requests to the /jmreport/loadTableData component. The vulnerability was disclosed on December 29, 2023, and has been assigned CVE-2023-41544 (NVD).

The vulnerability exists in the JeecgBoot/jeecg boot/jmreport/loadTableData API interface which lacks proper identity verification. The application uses FreeMarker to process SQL parameters provided by users, which can lead to Server-Side Template Injection (SSTI). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity with network access vector and no privileges required (NVD, Phoenix Blog).

Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code on the affected system through crafted HTTP requests. The vulnerability can lead to complete system compromise due to the ability to execute arbitrary commands on the target server (NVD).

Users should upgrade to a version newer than jeecg-boot 3.5.3. If immediate upgrade is not possible, it is recommended to implement strict access controls to the /jmreport/loadTableData endpoint and monitor for suspicious requests containing template injection attempts (NVD).