Primary

Context

DataEase JDBC Connection Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability has been identified in DataEase, an open-source business intelligence tool, in versions through 2.10.7. The issue arises from the backend JDBC connection, where authenticated users can execute arbitrary code by crafting a specific JDBC connection string that is processed by the application.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary code on the server where DataEase is running.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the DataEase API to validate a datasource configuration. The request must include a JDBC connection string that points to a malicious SQL file hosted on an external server. When the DataEase application processes the JDBC connection, it will execute the code contained in the SQL file, leading to remote code execution.

Remediation

Users are advised to upgrade to DataEase version 2.10.8, where this vulnerability has been patched.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.6

remediation

7.7

relevance

0.0

threat

6.5

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

4.6

remediation

7.7

relevance

0.0

threat

6.5

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DataEase JDBC Connection Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DataEase

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating