Primary

Context

DataEase JDBC URL Validation Vulnerability Allowing Remote Code Execution

Vulnerability

Patched

A vulnerability in DataEase versions through 2.10.19 allows for remote code execution by exploiting inconsistent locale handling in JDBC URL validation. DataEase's validation relies on the JVM's default locale, while the H2 JDBC engine normalizes URLs using Locale.ENGLISH. In Turkish locale environments, this discrepancy can be leveraged to bypass DataEase's security checks and execute arbitrary code on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the DataEase server.

Reproduction

The vulnerability can be reproduced by submitting a crafted H2 JDBC URL through the DataEase datasource validation interface. The URL must include parameters that exploit the locale handling issue, such as 'iNIT=RUNSCRIPT', which bypasses DataEase's blacklist detection and is executed by the H2 engine.

Remediation

Users are advised to upgrade to DataEase version 2.10.20, where this vulnerability has been fixed.

Added: Mar 20, 2026, 4:22 AM

Updated: Mar 20, 2026, 4:22 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.2

remediation

7.7

relevance

4.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

4.2

remediation

7.7

relevance

4.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DataEase JDBC URL Validation Vulnerability Allowing Remote Code Execution

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DataEase

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating