Flylzj

**Name of the Vulnerable Software and Affected Versions** DataEase versions prior to 2.10.2 **Description** The issue is related to the lack of signature verification of `jwt` tokens, which allows attackers to forge `jwt` tokens and gain access to any interface. There are no known workarounds for this issue. **Recommendations** For versions prior to 2.10.2, upgrade to version 2.10.2 to fix the issue. As a temporary workaround, consider restricting access to interfaces that use `jwt` tokens until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** DataEase versions prior to 2.10.1 **Description** There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability can be exploited by sending a request to the "POST /de2api/staticResource/upload/1 HTTP/1.1" endpoint with a malicious XML file. The `file` parameter can be used to upload the malicious file, which can contain an XML external entity that allows the attacker to read sensitive files. For example, the `1.svg` file can contain an XML external entity that references a remote DTD file, which can be used to read the contents of the `/etc/alpine-release` file. **Recommendations** For DataEase versions prior to 2.10.1, upgrade to version 2.10.1 to fix the vulnerability. As a temporary workaround, consider restricting access to the static resource upload interface to minimize the risk of exploitation. Avoid using the `file` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** DataEase versions prior to 2.10.1 **Description** The issue allows an attacker to achieve remote command execution by adding a carefully constructed h2 data source connection string. This can be done by sending a POST request to the `/de2api/datasource/validate` endpoint with a specially crafted `configuration` parameter in the request body, which includes a manipulated h2 connection string. The connection string can be used to execute arbitrary commands on the system, as demonstrated by the creation of a file in the `/tmp` directory. The estimated number of potentially affected devices is not provided. **Recommendations** For versions prior to 2.10.1, upgrade to version 2.10.1 to fix the vulnerability. As a temporary workaround, consider restricting access to the `/de2api/datasource/validate` endpoint or disabling the `h2` data source connection string until a patch is applied. Avoid using the `configuration` parameter in the affected API endpoint until the issue is resolved.