DataEase SQL Injection Vulnerability in Dataset Export and Enumeration Endpoints

A SQL injection vulnerability has been identified in DataEase versions prior to 2.10.21. The issue resides in the orderDirection parameter of dataset-related endpoints, specifically '/de2api/datasetData/enumValueDs' and '/de2api/datasetTree/exportDataset'. The vulnerability allows authenticated attackers to inject arbitrary SQL commands, exploiting the lack of validation on user-supplied input. This injection is executed via time-based blind SQL injection, enabling data extraction and potential denial-of-service conditions.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command injection, leading to time-based blind data extraction and denial-of-service conditions by causing delays in database response times.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/de2api/datasetData/enumValueDs' endpoint. The request must include a payload in the orderDirection parameter that exploits the SQL injection vulnerability, such as a time-based SQL injection payload. This can be done by first fetching the details of a valid dataset to ensure the request is properly structured, and then injecting the SQL payload through the vulnerable parameter.

Remediation

Users are advised to upgrade to DataEase version 2.10.21, where this vulnerability has been fixed.