DataEase SQL Injection Vulnerability in Dataset Export Functionality

A SQL injection vulnerability has been identified in DataEase versions prior to 2.10.21, specifically within the dataset export feature. The issue arises in the expressionTree parameter of the POST /de2api/datasetTree/exportDataset endpoint, where user-supplied values in 'like' filter terms are directly appended to SQL queries without proper sanitization. This flaw allows attackers to inject arbitrary SQL commands, potentially leading to blind SQL injection by exploiting time-based database information extraction techniques.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to execute arbitrary commands or extract sensitive database information.

Reproduction

To reproduce this vulnerability, send a POST request to the /de2api/datasetTree/exportDataset endpoint with a crafted expressionTree parameter. The payload should include a 'like' filter value that escapes the string literal, injecting SQL commands. If the injection is successful, a delay will be observed, indicating that the injected SQL command was executed.

Remediation

Users are advised to upgrade to DataEase version 2.10.21, where this vulnerability has been fixed.