CVE-2024-23328

Name of the Vulnerable Software and Affected Versions Dataease versions prior to 1.18.15 Dataease versions prior to 2.3.0

Description A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java. The blacklist of mysql jdbc attacks can be bypassed, allowing attackers to further exploit it for deserialized execution or reading arbitrary files.

Recommendations For versions prior to 1.18.15, update to version 1.18.15 or later to resolve the issue. For versions prior to 2.3.0, update to version 2.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Mysql.java file in the core/core-backend/src/main/java/io/dataease/datasource/type directory until a patch is applied.