DataEase JDBC Parameter Blocklist Bypass Vulnerability in MySQL Datasource Configuration

A JDBC parameter blocklist bypass vulnerability has been identified in DataEase versions 2.10.20 and prior. This vulnerability allows authenticated attackers to manipulate JDBC parameters in a way that could lead to arbitrary file read operations. The issue arises because the MySQL datasource configuration improperly handles the blocklist of illegal parameters. Exploitation involves sending a crafted datasource configuration that bypasses the blocklist, enabling the inclusion of dangerous JDBC parameters. When the datasource is validated, the MySQL driver can be tricked into reading sensitive files from the server's filesystem, such as environment variables and database credentials.

Impact

Exploitation of this vulnerability allows for arbitrary file read operations from the DataEase server filesystem, potentially leading to the exfiltration of sensitive information such as environment variables and database credentials.

Reproduction

To reproduce this vulnerability, first, create a fake MySQL server that can intercept file read requests. Then, configure a datasource in DataEase with the blocklist bypass and the 'allowLoadLocalInfile' parameter set to true. Once the datasource is saved, the MySQL server will receive the requested file data through the 'LOAD DATA LOCAL INFILE' protocol, effectively exfiltrating the file contents back to the attacker.

Remediation

Users are advised to upgrade to DataEase version 2.10.21, where this vulnerability has been fixed.