CVE-2024-57438: 
Java vulnerability analysis and mitigation

Insecure permissions in RuoYi v4.8.0 allows authenticated attackers to escalate privileges by assigning themselves higher level roles. The vulnerability affects the RuoYi project, which is a popular open-source permission management system based on SpringBoot with over 6.6k stars on GitHub (RuoYi GitHub, RuoYi Gitee).

The vulnerability exists in the user information update interface. While the interface checks if a user has permission to update user roles, it fails to validate whether the updated role has higher privileges than the user's current role. This implementation flaw allows users with user administrative privileges to assign themselves roles with higher privileges than their current access level (GitHub POC). The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) (NVD).

The vulnerability allows authenticated users with basic administrative privileges to elevate their access rights by assigning themselves roles with higher privileges. This could lead to unauthorized access to sensitive system functions and data, potentially compromising the entire system's security model (GitHub POC).

Organizations using RuoYi v4.8.0 should implement additional role assignment validation checks to prevent users from assigning themselves roles with higher privileges than their current access level. A proper fix would involve validating the privilege level of both the current and requested roles during the role assignment process (GitHub POC).