CVE Vulnerability

CVE-2022-39312

Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In `backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java`, the `MysqlConfiguration` class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue.

9.8 /10

CVSS v3.0 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/dataease/dataease/releases/tag/v1.15.2 Release Notes Third Party Advisory
https://github.com/dataease/dataease/commit/956ee2d6c9e81349a60aef435efc046888e10a6d Patch Third Party Advisory
https://github.com/dataease/dataease/pull/3328 Patch Third Party Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-q4qq-jhjv-7rh2 Exploit Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
Information

Published : 2022-10-25 05:15

Updated : 2022-10-28 06:24

NVD link : CVE-2022-39312

Mitre link : CVE-2022-39312

Products Affected
No products.
CWE
CWE-502

Deserialization of Untrusted Data