CVE-2024-2478: 
NixOS vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2024-2478) was discovered in BradWenqiang HR 2.0, specifically affecting the selectAll function in the Background Management component's /bishe/register file. The vulnerability was disclosed on March 15, 2024, and allows manipulation of the userName parameter to execute SQL injection attacks (VulDB, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-89 (SQL Injection) and involves improper neutralization of special elements in SQL commands. The vulnerability exists in the selectAll() method, which is called through the userName parameter and propagates through multiple layers including the service layer and mapper layer before executing the SQL statement (NVD).

The SQL injection vulnerability allows remote attackers to potentially access, modify, or delete database contents, compromising the confidentiality, integrity, and availability of the system. The attack can be launched remotely, and the exploit has been publicly disclosed (VulDB).

The vendor was contacted early about this disclosure but did not respond or provide any official patches. No specific mitigation strategies have been published at this time (NVD).