CVE-2024-57439: 
Java vulnerability analysis and mitigation

An issue in the reset password interface of ruoyi v4.8.0 allows attackers with Admin privileges to cause a Denial of Service (DoS) by duplicating the login name of the account (NVD, GitHub). The vulnerability was discovered in the RuoYi project, which is a popular open-source permission management system based on SpringBoot (RuoYi).

The vulnerability exists because the reset password interface does not check for uniqueness of loginName when changing it, allowing it to be duplicated with other loginNames in the system. While other interfaces ensure loginName uniqueness, this check is missing in the password reset functionality. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 MEDIUM (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-281 (Improper Preservation of Permissions) (NVD).

When exploited, this vulnerability allows an attacker to cause any user in the system to be unable to log in, including the admin user. This occurs because when a loginName is duplicated, the authentication system returns multiple results for a single query, causing login attempts to fail. The impact is particularly severe as it can affect the admin account, potentially leading to a complete denial of service for system administration (GitHub).

As of the vulnerability disclosure, there is no official patch available for version 4.8.0. Organizations using RuoYi should monitor for updates and implement proper access controls to limit administrative privileges (NVD).