jeecgboot JimuReport H2 JDBC Remote Code Execution Vulnerability

A remote code execution vulnerability exists in jeecgboot JimuReport versions through 2.3.0. The issue arises in the BI Dashboard data source management module, specifically within the '/drag/onlDragDataSource/testConnection' endpoint. This endpoint fails to properly validate H2 database parameters in the 'dbUrl' argument, allowing for code injection. By manipulating the 'dbUrl' with a crafted H2 JDBC URL that includes an INIT parameter, an attacker can execute arbitrary Java code during the database connection process. The vulnerability is exploited by creating a Java alias that calls 'Runtime.getRuntime().exec()', thereby executing operating system commands on the server.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary commands on the server where JimuReport is running, potentially leading to a full system compromise.

Reproduction

To reproduce this vulnerability, log into the JimuReport admin panel and navigate to the BI Dashboard. Select any dashboard and click on 'Data Source'. Choose Hsqldb as the database type, enter arbitrary data, and click 'Test'. Intercept the request and modify the 'dbUrl' parameter to include a payload that exploits the vulnerability, such as one that executes a command like 'calc' on Windows. Resend the request, and the command execution will be confirmed when the calculator application opens. This vulnerability can also be exploited on Linux by replacing the command execution part of the payload with a command like 'id > /tmp/pwned', which writes the output of the 'id' command to a file.

Remediation

The vendor has acknowledged this vulnerability and plans to release a fix in the next version.