DataEase SQL Injection Vulnerability in Datasource Management

A SQL injection vulnerability has been identified in DataEase versions prior to 2.10.21, specifically within the API datasource update process. When a new table definition is added during a datasource update, the 'deTableName' field from the user-submitted configuration is passed to a method that creates a database table. This process lacks proper sanitization or escaping of the table name, allowing authenticated attackers to inject arbitrary SQL commands. Exploitation of this vulnerability could lead to error-based SQL injection, enabling the extraction of database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can inject malicious SQL commands that are executed by the database. This could result in unauthorized data access or manipulation.

Reproduction

To reproduce this vulnerability, first create a normal API datasource. Then, submit a new table definition through the '/de2api/datasource/update' interface, including a payload that exploits the SQL injection vulnerability by breaking out of the table identifier quoting and injecting SQL commands. The injection can be verified by observing a 400 error response that leaks database version information, indicating successful exploitation.

Remediation

Users are advised to upgrade to DataEase version 2.10.21, where this vulnerability has been fixed.