Gsbp0

**Name of the Vulnerable Software and Affected Versions** Dataease versions prior to 2.10.13 Dataease versions 2.10.12 and earlier **Description** Dataease is a data visualization and analysis platform. Versions up to and including 2.10.12 are susceptible to remote code execution through the Impala data source. Insufficient filtering in the `getJdbc` method of the `io.dataease.datasource.type.Impala` class allows attackers to construct malicious JDBC connection strings. This exploits JNDI injection and triggers RMI deserialization, potentially leading to remote command execution. The vulnerability is exploitable by modifying the data source and providing a crafted JDBC connection string referencing a remote configuration file, resulting in RMI-based deserialization attacks. **Recommendations** Upgrade to Dataease version 2.10.13 or later.