CVE-2024-57436: 
Java vulnerability analysis and mitigation

RuoYi v4.8.0 was discovered to contain a privilege escalation vulnerability that allows unauthorized attackers to view the session ID of admin users in the system monitoring functionality. The vulnerability was disclosed on January 29, 2025 and affects the RuoYi project, which is a popular open-source permission management system based on SpringBoot with over 6.6k stars on GitHub (GitHub RuoYi, RuoYi Website).

The vulnerability stems from insufficient access controls in the system monitoring functionality. Users with system monitoring privileges can view the session IDs of admin users, which are used as identifiers for authentication. Since the system recognizes users by their session IDs, an attacker with monitoring access can impersonate an admin by using their session ID via a crafted cookie. The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (NVD CVE).

The vulnerability allows attackers with system monitoring privileges to elevate their permissions to administrative level access. By impersonating an admin user through their session ID, attackers can gain full system access and perform unauthorized administrative actions, including assigning permissions to other users (GitHub POC).

Organizations running RuoYi v4.8.0 should restrict access to system monitoring functionality and implement additional session validation mechanisms. A patch version addressing this vulnerability has not been explicitly mentioned in the available sources.