Dataease Mysql Data Source JDBC Connection Parameters Not Verified Leads to Deserialization Vulnerability
CVE-2022-39312

9.8CRITICAL

Key Information:

Vendor: Dataease
Status: Dataease
Vendor: CVE Published:; 25 October 2022

What is CVE-2022-39312?

Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, the MysqlConfiguration class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue.

Affected Version(s)

dataease < 1.15.2

References

https://github.com/dataease/dataease/security/advisories/...

https://github.com/dataease/dataease/pull/3328

https://github.com/dataease/dataease/commit/956ee2d6c9e81...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 25, 2022
Vulnerability Reserved
Sep 2, 2022