Primary

Context

Dataease JNDI Injection Vulnerability in Oracle JDBC Connections

Vulnerability

Patched

A JNDI injection vulnerability has been identified in Dataease versions 2.10.14 and prior. The issue arises because the application did not properly sanitize parameters when establishing JDBC connections to Oracle databases. This oversight allows for the injection of malicious JNDI references, which could be exploited under certain conditions.

Impact

Exploitation of this vulnerability allows for JNDI injection, where an attacker can manipulate JNDI lookups to potentially execute arbitrary code or access sensitive information.

Reproduction

To reproduce this vulnerability, create a JDBC connection to an Oracle database using a URL that includes a malicious LDAP reference. If the connection is established and the LDAP server receives the request, the vulnerability has been successfully exploited.

Remediation

Users are advised to upgrade to Dataease version 2.10.15, where this vulnerability has been fixed.

Added: Nov 6, 2025, 1:18 AM

Updated: Nov 6, 2025, 1:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.0

remediation

7.7

relevance

0.9

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.3

exploitability

6.0

remediation

7.7

relevance

0.9

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dataease JNDI Injection Vulnerability in Oracle JDBC Connections

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Dataease

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating