DataEase H2 Database Connection Handler JDBC Driver Bypass Vulnerability Allowing Remote Code Execution

A JDBC driver bypass vulnerability has been identified in the DataEase data visualization and analytics platform, specifically in versions through 2.10.13. The issue resides in the H2 database connection handler, where the 'getJdbc' function improperly validates the JDBC URL. An authenticated attacker can exploit this vulnerability by supplying a JDBC URL that appears legitimate while redirecting the connection through a malicious JDBC driver. This flaw could potentially lead to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary JDBC connections to be established using malicious drivers, with the potential to execute remote code on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the '/de2api/datasource/validate' endpoint. Include a base64-encoded JSON payload that specifies a JDBC URL starting with 'jdbc:h2', while the 'jdbc' field contains a different JDBC URL that directs to a malicious driver. This will trigger the vulnerability by bypassing the JDBC URL validation and executing the arbitrary JDBC connection with the specified driver.

Remediation

Users are advised to upgrade to DataEase version 2.10.14, where this vulnerability has been fixed.