Tencent Music Entertainment SuperSonic H2 Database Connection Code Injection Vulnerability

A critical code injection vulnerability has been identified in Tencent Music Entertainment SuperSonic versions prior to 0.9.8. The issue arises in the H2 Database Connection Handler, specifically within the file '/api/semantic/database/testConnect'. This vulnerability allows an attacker to manipulate the database connection URL to execute arbitrary commands. The exploitation can be performed remotely, and the details of this vulnerability have been disclosed publicly.

Impact

Exploitation of this vulnerability allows for unauthorized code execution on the server.

Reproduction

To reproduce this vulnerability, send a POST request to '/api/semantic/database/testConnect' with an H2 database connection URL that includes malicious payloads. The URL can be crafted to execute commands on the server by exploiting the H2 database's scripting capabilities. After the request is processed, the injected commands will be executed, demonstrating the code execution vulnerability.

Remediation

It is recommended to update Tencent Music Entertainment SuperSonic to version 0.9.8 or later. Additionally, implement input validation to restrict the database connection URLs to safe and expected formats, and sanitize any potentially dangerous parameters.