CVE-2024-6241 Overview
CVE-2024-6241 is a SQL injection vulnerability in Pear Admin Boot versions up to 2.0.2. The flaw resides in the getDictItems function reachable through the /system/dictData/getDictItems/ endpoint. Attackers can manipulate input parameters such as ,user(),1,1 to inject arbitrary SQL into the underlying query. The issue is exploitable remotely and requires only low-privilege authentication. Public disclosure of exploitation details has been made through VulDB entry VDB-269375 and Gitee issue trackers. The vulnerability is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated remote attackers can extract database contents, including credentials and session data, by injecting SQL through the getDictItems endpoint.
Affected Products
- Pear Admin Boot versions up to and including 2.0.2
- Component: pearadmin:pear_admin_boot
- Vulnerable endpoint: /system/dictData/getDictItems/
Discovery Timeline
- 2024-06-21 - CVE-2024-6241 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6241
Vulnerability Analysis
The vulnerability exists in the getDictItems function exposed at the /system/dictData/getDictItems/ route. The function passes user-controlled input directly into a SQL query without proper parameterization or sanitization. An attacker can submit a crafted payload such as ,user(),1,1 that breaks out of the intended query context. The injected SQL executes with the privileges of the application database account. Reports from the Gitee Issue Report IA5IPQ and Gitee Issue Report IA5KBS confirm the injection pattern. The EPSS score is 0.225%, placing it in the 45th percentile for exploitation likelihood.
Root Cause
The root cause is improper neutralization of special elements in SQL statements [CWE-89]. The getDictItems function concatenates request parameters into a SQL query string instead of using prepared statements with bound parameters. Input validation routines do not strip or escape SQL metacharacters before query construction.
Attack Vector
The attack vector is network-based and remotely exploitable. An authenticated user with low privileges sends an HTTP request to /system/dictData/getDictItems/ containing a malicious payload in a vulnerable parameter. The server executes the tampered query, returning database content in the response or producing observable side effects. Payloads such as ,user(),1,1 can be used to enumerate the current database user, with further payloads enabling UNION-based or boolean-based extraction of arbitrary data.
No verified proof-of-concept code is published in this advisory; full technical details are available in the referenced VulDB #269375 entry.
Detection Methods for CVE-2024-6241
Indicators of Compromise
- HTTP requests to /system/dictData/getDictItems/ containing SQL keywords such as user(), union, select, sleep, or information_schema
- Web server logs showing unusual response sizes or error codes from the getDictItems endpoint
- Database audit logs recording unexpected queries originating from the Pear Admin Boot application user
Detection Strategies
- Deploy a web application firewall (WAF) rule that inspects parameters submitted to /system/dictData/ routes for SQL metacharacters and function calls
- Enable database query logging and alert on queries containing concatenated literal values such as ,user(),1,1
- Correlate authenticated session activity with abnormal query volumes against dictionary-related tables
Monitoring Recommendations
- Forward Pear Admin Boot access logs and database audit logs to a centralized SIEM for query-pattern correlation
- Baseline normal request parameters to /system/dictData/getDictItems/ and alert on deviations
- Monitor for outbound data transfers from the application server following suspicious requests to the affected endpoint
How to Mitigate CVE-2024-6241
Immediate Actions Required
- Restrict network access to the Pear Admin Boot administrative interface to trusted networks only
- Audit existing user accounts and rotate credentials that may have been exposed through prior exploitation
- Apply WAF rules that block SQL injection patterns targeting the /system/dictData/getDictItems/ endpoint
Patch Information
At the time of NVD publication, no official patched release was referenced in the advisory. Track the Gitee Issue Report IA5IPQ and Gitee Issue Report IA5KBS for fix status. Once a fixed release is published, upgrade beyond version 2.0.2 immediately. Refer to VulDB #269375 CTI for ongoing threat intelligence updates.
Workarounds
- Disable or restrict access to the /system/dictData/getDictItems/ endpoint until a vendor fix is available
- Implement a reverse-proxy filter that rejects requests whose query parameters contain SQL functions such as user(), version(), or union select
- Apply the principle of least privilege to the database account used by Pear Admin Boot, removing access to non-essential schemas
- Require additional authentication factors for administrative users to reduce abuse of low-privileged accounts
# Example NGINX rule to block obvious SQL injection patterns against the vulnerable endpoint
location /system/dictData/getDictItems/ {
if ($args ~* "(union(.*)select|user\(\)|information_schema|sleep\()") {
return 403;
}
proxy_pass http://pear_admin_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
