Dataease SQL Injection Vulnerability in Preview Data API

A SQL injection vulnerability has been identified in Dataease versions prior to 2.10.20. The issue arises in the '/de2api/datasource/previewData' endpoint, where the 'table' parameter is directly appended to the SQL query without proper validation or parameterization. This flaw allows attackers to inject malicious SQL by manipulating table names. The vulnerability has been patched in version 2.10.20.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can interfere with the application's database queries. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, first obtain a valid data source ID by sending a POST request to the '/de2api/datasource/tree' endpoint. Once the ID is retrieved, send a POST request to the '/de2api/datasource/previewData' endpoint, including the crafted 'table' parameter that exploits the SQL injection vulnerability. The injected SQL payload can be designed to, for example, union select database information or user details.

Remediation

Users are advised to upgrade to Dataease version 2.10.20 or later.