CVE-2024-46985

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.1

Description There is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability can be exploited by sending a request to the "POST /de2api/staticResource/upload/1 HTTP/1.1" endpoint with a malicious XML file. The file parameter can be used to upload the malicious file, which can contain an XML external entity that allows the attacker to read sensitive files. For example, the 1.svg file can contain an XML external entity that references a remote DTD file, which can be used to read the contents of the /etc/alpine-release file.

Recommendations For DataEase versions prior to 2.10.1, upgrade to version 2.10.1 to fix the vulnerability. As a temporary workaround, consider restricting access to the static resource upload interface to minimize the risk of exploitation. Avoid using the file parameter in the affected API endpoint until the issue is resolved.