Published: 25/10/2022 Updated: 28/10/2022

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 0

Dataease is an open source data visualization analysis tool. Dataease before 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In `backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java`, the `MysqlConfiguration` class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
dataease dataease

Config files for my GitHub profile.

AKA xiwu My CVEs: CVE-2022-39312 CVE-2022-46478 CVE-2023-34094

CWE-502 https://github.com/dataease/dataease/releases/tag/v1.15.2 https://github.com/dataease/dataease/commit/956ee2d6c9e81349a60aef435efc046888e10a6d https://github.com/dataease/dataease/pull/3328 https://github.com/dataease/dataease/security/advisories/GHSA-q4qq-jhjv-7rh2 https://nvd.nist.gov https://github.com/aboutbo/aboutbo

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2022-39312

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect