Knowage Server JNDI Name Validation Vulnerability in DataSourceResource Component

A vulnerability exists in the SpagoBI API within Knowage Server versions prior to 8.1.30. The issue arises in the DataSourceResource.java file, where the application fails to properly validate that JNDI names begin with 'java:comp/env/jdbc/'. This oversight could potentially lead to misconfigured data sources or other related issues.

Impact

Exploitation of this vulnerability could result in improper validation of JNDI names, allowing for potential misconfigurations or exploitation of JNDI-related features.

Reproduction

To reproduce this vulnerability, create a data source in Knowage Server version prior to 8.1.30 and specify a JNDI name that does not begin with 'java:comp/env/jdbc/'. The application will accept the invalid JNDI name without any error, indicating that the validation check is not properly enforced.

Remediation

Users can upgrade to Knowage Server version 8.1.30 or later, where this vulnerability has been addressed.