DataEase JDBC URL Injection Vulnerability in DB2 and MongoDB Data Source Handlers

A JDBC URL injection vulnerability has been identified in DataEase versions through 2.10.13, specifically within the DB2 and MongoDB data source configuration handlers. The issue arises in the DB2 handler when the extraParams field is empty, allowing the HOSTNAME, PORT, and DATABASE values to be concatenated into the JDBC URL without proper validation. This flaw enables an attacker to inject a malicious JDBC string into the HOSTNAME field, potentially bypassing previously addressed vulnerabilities CVE-2025-57773 and CVE-2025-58045. The same vulnerability exists in the MongoDB data source handler under similar conditions.

Impact

Exploitation of this vulnerability allows for JDBC URL manipulation, which could be used to inject malicious payloads or bypass existing security measures, as demonstrated by the ability to circumvent vulnerabilities CVE-2025-57773 and CVE-2025-58045.

Reproduction

To reproduce this vulnerability, create a DB2 or MongoDB data source in DataEase version 2.10.13 or earlier. Leave the extraParams field empty and enter a malicious JDBC string in the HOSTNAME field. When the JDBC URL is generated, the injected string will be included without proper filtering, allowing for exploitation.

Remediation

Upgrade to DataEase version 2.10.14, where this vulnerability has been fixed.