漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Dataease Mysql Data Source JDBC Connection Parameters Not Verified Leads to Deserialization Vulnerability
Vulnerability Description
Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In `backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java`, the `MysqlConfiguration` class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vulnerability Type
输入验证不恰当
Vulnerability Title
DataEase 代码问题漏洞
Vulnerability Description
DataEase是一个开源的数据可视化分析工具。用于帮助用户快速分析数据并洞察业务趋势,从而实现业务的改进与优化。 DataEase 1.15.2之前版本存在安全漏洞,该漏洞源于存在反序列化漏洞,数据源函数中的Mysql数据源可以自定义JDBC连接参数和要连接的Mysql服务器目标,由于不过滤任何参数,如果攻击者在JDBC url中添加一些参数并连接到恶意的mysql服务器,可以触发mysql jdbc反序列化漏洞,进而可以执行系统命令并获取服务器权限。
CVSS Information
N/A
Vulnerability Type
N/A