DataEase SQL Injection Vulnerability in Dataset Preview API Allowing Arbitrary SQL Execution

A SQL injection vulnerability has been identified in DataEase versions prior to 2.10.21. The issue resides in the '/de2api/datasetData/previewSql' endpoint, where user-supplied SQL is improperly validated before being executed. This flaw allows authenticated attackers with access to valid datasource credentials to inject and execute arbitrary SQL statements, including data modification commands, on the connected database. The vulnerability arises because the input SQL is wrapped in a subquery without ensuring it is a single SELECT statement. When combined with a JDBC blocklist bypass that enables multiple queries, an attacker can break out of the subquery and execute stacked SQL commands, potentially leading to unauthorized data manipulation.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, including data modification operations, on the connected database. This could result in unauthorized data changes or corruption.

Reproduction

To reproduce this vulnerability, first create a datasource connection to an internal MySQL database using credentials that have been exfiltrated from a previous exploitation phase. Ensure that the 'allowMultiQueries' option is enabled. Once the datasource is established, verify its functionality by executing a normal SQL query through the 'previewSql' endpoint. After confirming the datasource works, inject a SQL payload that exploits the vulnerability by breaking out of the subquery and executing arbitrary SQL commands, such as an UPDATE statement, on the database.

Remediation

Users are advised to upgrade to DataEase version 2.10.21, where this vulnerability has been fixed.