From this webpage screenshot, the following key information about the vulnerability can be obtained: ### Vulnerability Overview - **Vulnerability Name**: Dataease H2 JDBC Connection Remote Code Execution - **CVE ID**: CVE-2021-42392 - **CVSS Score**: 7.5 (High) - **Release Date**: October 8, 2021 ### Affected Scope - **Affected Versions**: DataEase v1.10.0 and earlier - **Fixed Version**: DataEase v1.10.1 ### Vulnerability Description - **Vulnerability Type**: Remote Code Execution (RCE) - **Root Cause**: A deserialization vulnerability exists in the H2 database JDBC connection within DataEase. Attackers can trigger this vulnerability by crafting malicious requests, enabling them to execute arbitrary code on the target server. ### Vulnerability Details - **Critical Code Snippet**: ```java // Vulnerable code snippet String sql = "SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME = '" + tableName + "'"; ``` - **Exploitation Method**: Attackers can construct malicious SQL statements or parameters, causing the application to trigger the deserialization vulnerability during SQL parsing and execution, thereby executing arbitrary malicious code. ### Impact - **Potential Risks**: Attackers can execute arbitrary code on the target server, potentially leading to data leakage, system compromise, and other severe consequences. ### Remediation Recommendations - **Official Patch**: Upgrade to DataEase v1.10.1 or later. - **Temporary Mitigation**: Disable unnecessary H2 database JDBC connection features and restrict external access to related interfaces. ### Reference Links - [Official Announcement](https://www.dataease.io/zh/docs/dataease/v1.10.1/release-notes/) - [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42392) This information enables security teams to quickly identify and remediate the vulnerability, reducing potential security risks.