CVE-2022-39312

Name of the Vulnerable Software and Affected Versions Dataease versions prior to 1.15.2

Description The issue concerns a deserialization vulnerability in Dataease, specifically in the Mysql data source function where the JDBC connection parameters and the Mysql server target can be customized. The MysqlConfiguration class in backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java does not filter any parameters, allowing an attacker to add malicious parameters to a JDBC URL and connect to a malicious MySQL server. This can trigger the MySQL JDBC deserialization vulnerability, enabling the attacker to execute system commands and obtain server privileges.

Recommendations For versions prior to 1.15.2, upgrade to version 1.15.2 to patch the issue. As a temporary workaround, consider restricting access to the MysqlConfiguration class or disabling the customization of JDBC connection parameters to minimize the risk of exploitation. Avoid using the extraParams variable in the affected API endpoint until the issue is resolved.