CVE-2024-47074

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 1.18.25

Description DataEase is an open source data visualization analysis tool. The PostgreSQL data source function allows customization of JDBC connection parameters and the PG server target. However, the PgConfiguration class in backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java does not filter any parameters and directly concatenates user input. This allows an attacker to add parameters to the JDBC URL and connect to a malicious PG server, triggering the PG JDBC deserialization vulnerability. The attacker can then execute system commands and obtain server privileges through the deserialization vulnerability.

Recommendations For versions prior to 1.18.25, update to version 1.18.25 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the PostgreSQL data source function to minimize the risk of exploitation. Avoid using customized JDBC connection parameters and PG server targets until the issue is resolved.