CVE-2024-46997

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.1

Description The issue allows an attacker to achieve remote command execution by adding a carefully constructed h2 data source connection string. This can be done by sending a POST request to the /de2api/datasource/validate endpoint with a specially crafted configuration parameter in the request body, which includes a manipulated h2 connection string. The connection string can be used to execute arbitrary commands on the system, as demonstrated by the creation of a file in the /tmp directory. The estimated number of potentially affected devices is not provided.

Recommendations For versions prior to 2.10.1, upgrade to version 2.10.1 to fix the vulnerability. As a temporary workaround, consider restricting access to the /de2api/datasource/validate endpoint or disabling the h2 data source connection string until a patch is applied. Avoid using the configuration parameter in the affected API endpoint until the issue is resolved.