DataEase Arbitrary File Read Vulnerability via JDBC Connection Bypass

A vulnerability in DataEase, an open-source business intelligence and data visualization tool, allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. This issue arises from a bypass of the patch for CVE-2024-55953, and it affects versions of DataEase through 2.10.5. The vulnerability has been fixed in version 2.10.6.

Impact

Exploitation of this vulnerability allows for arbitrary file read, which could lead to exposure of sensitive information.

Reproduction

To reproduce this vulnerability, log into the application and send a request that includes a JDBC connection string with illegal parameters. The 'getJdbc' method in the 'Mysql' class of the DataEase datasource type package will not properly decode these parameters, allowing the construction of a JDBC URL that bypasses the application's validation. Once the request is sent, the vulnerability can be exploited by reading sensitive files such as '/etc/passwd'.

Remediation

Users are advised to upgrade to DataEase version 2.10.6.