DataEase Redshift JDBC Connection Parameter Bypass Vulnerability Leading to Remote Code Execution

A vulnerability in DataEase versions prior to 2.10.10 allows for a bypass of the patch for CVE-2025-46566, leading to remote code execution. The issue arises in the Redshift data source where the 'getUrlType()' method improperly handles the 'hostName' parameter. This oversight allows malicious payloads to be crafted by concatenating unfiltered data into JDBC statements, exploiting the application's database connection handling.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where DataEase is running.

Reproduction

To reproduce this vulnerability, first, upload a malicious XML file to a server that can be accessed by the DataEase application. This file should contain a payload designed to be executed when the JDBC connection is established. Next, create a Redshift data source in DataEase and configure the JDBC URL to include the 'socketFactory' and 'socketFactoryArg' parameters. The 'socketFactory' parameter should be set to 'org.springframework.context.support.ClassPathXmlApplicationContext', and the 'socketFactoryArg' parameter should be set to the URL of the malicious XML file. When DataEase processes this JDBC connection, the application will decode the URL and, due to the flawed parameter validation, execute the payload contained in the XML file, thereby achieving remote code execution.

Remediation

Users are advised to upgrade to DataEase version 2.10.10 or later, where this vulnerability has been patched.