jeecgboot JimuReport Data Large Screen Template PostgreSQL JDBC Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in jeecgboot JimuReport versions through 2.1.1. The issue arises in the Data Large Screen Template component, specifically within the '/drag/onlDragDataSource/testConnection' interface. The vulnerability is caused by improper input validation, allowing attackers to craft malicious connection parameters that exploit deserialization flaws when connecting to a PostgreSQL database.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where JimuReport is running.

Reproduction

To reproduce this vulnerability, log into JimuReport and navigate to the Data Large Screen Template. Add a data source and use the test connection feature to invoke the vulnerable '/drag/onlDragDataSource/testConnection' endpoint. The absence of backend restrictions will enable the injection of harmful JDBC parameters, leading to remote code execution via the PostgreSQL driver.

Remediation

The vulnerability has been addressed in the latest version of JimuReport, which is available for download.