CVE-2023-41578: 
Java vulnerability analysis and mitigation

Jeecg boot up to version 3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection. The vulnerability was assigned CVE-2023-41578 and was disclosed on September 8, 2023. The vulnerability affects the Jeecg boot application up to version 3.5.3 (NVD).

The vulnerability exists in the /testConnection route where a MySQL connection can be constructed to cause arbitrary file reading. The application has some protection during the parsing process for MySQL connections, specifically around the 'allowLoadLocalInfile' parameter, but this can be bypassed. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) (NVD, GitHub Issue).

The vulnerability allows remote attackers to read arbitrary files on the affected system. This could lead to exposure of sensitive information and potential system compromise through information disclosure (NVD).

Organizations should upgrade to a version newer than 3.5.3 of Jeecg boot. If immediate upgrading is not possible, organizations should implement strict access controls to the /testConnection endpoint (NVD).