Volerion logoVolerion
Volerion logoVolerion

DataEase Remote Code Execution Vulnerability via Quartz Job Deserialization

Vulnerability

A remote code execution vulnerability exists in DataEase versions through 2.10.20. The issue arises because the application includes a vulnerable version of Quartz (2.3.2) that deserializes job data from the database without proper safeguards. This flaw can be exploited by an authenticated attacker who can inject malicious payloads into the job data, leveraging a known deserialization vulnerability in Commons Collections to execute arbitrary commands as root.

Impact

Exploitation of this vulnerability leads to unauthorized remote code execution on the server, with the executed commands running as the root user.

Reproduction

The vulnerability can be reproduced by first uploading a payload server that hosts the Commons Collections 6 deserialization gadget. Then, inject this payload into the Quartz job data via a SQL injection exploit. Once the payload is injected, wait for the Quartz cron trigger to fire, which will deserialize the payload and execute the injected commands with root privileges.

Remediation

Users are advised to upgrade to DataEase version 2.10.21, where this vulnerability has been fixed.

Added: Apr 16, 2026, 9:45 PM
Updated: Apr 16, 2026, 9:45 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
7.5
exploitability
4.2
remediation
7.7
relevance
6.0
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.