DataEase H2 JDBC Connection Remote Code Execution Vulnerability

A remote code execution vulnerability exists in DataEase versions through 2.10.8. This issue arises from a Java feature that alters the case of certain characters, allowing a threat actor to exploit this conversion in a crafted message. The vulnerability is triggered by manipulating the H2 JDBC connection string to execute arbitrary scripts from a remote source.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where DataEase is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/de2api/datasource/validate' endpoint with a JSON payload that includes a H2 connection configuration. The 'TRACE_LEVEL_SYSTEM_OUT' parameter can be set to '3' to enable detailed output. Include a crafted 'INIT' parameter that exploits the character conversion feature in Java, replacing specific characters with their uppercase equivalents. Once the payload is processed, the server will execute the script from the specified URL, leading to remote code execution.

Remediation

Users are advised to upgrade to DataEase version 2.10.11, where this vulnerability has been fixed.