Primary

Context

Datart Arbitrary Code Execution Vulnerability via INIT Connection Parameter

Vulnerability

A remote code execution vulnerability exists in Datart version 1.0.0-rc.3. The issue arises from the INIT connection parameter, which can be exploited by a remote attacker to execute arbitrary code.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where Datart is running.

Reproduction

To reproduce this vulnerability, send a POST request to the Datart server's data provider API with a JDBC data provider type. In the properties section, include an H2 database URL that uses the INIT parameter to create a malicious alias. This alias can then be executed to perform arbitrary actions, such as creating a file on the server.

Added: Sep 24, 2025, 4:17 PM

Updated: Sep 24, 2025, 10:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

0.6

threat

6.7

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

6.6

remediation

0.0

relevance

0.6

threat

6.7

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Datart Arbitrary Code Execution Vulnerability via INIT Connection Parameter

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating