DataEase SQL Injection Vulnerability in API Datasource Saving Process

A SQL injection vulnerability has been identified in DataEase versions prior to 2.10.21. This issue arises in the API datasource saving process, where the deTableName field from the Base64-encoded datasource configuration is used to create a DDL statement. The vulnerability exists because the table name is inserted through simple string replacement without any sanitization or escaping. An authenticated attacker can exploit this by crafting a deTableName that escapes identifier quoting, leading to error-based SQL injection that can extract database information, such as the MySQL version.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, with the potential to leak sensitive database information. For example, the MySQL version can be extracted through the injected SQL commands.

Reproduction

To reproduce this vulnerability, an authenticated user must save an API datasource configuration that includes a crafted deTableName. The deTableName should be designed to break out of identifier quoting and inject SQL commands, such as one using the UPDATEXML function to extract database information. Once the payload is sent, the response will include a SQL error containing the leaked MySQL version, confirming the successful exploitation of the vulnerability.

Remediation

Users are advised to upgrade to DataEase version 2.10.21, where this vulnerability has been fixed.