## Critical Vulnerability Information - **Vulnerability Title**: ujcms 10.0.2 JDBC Connection Injection - **Vulnerability Description**: - In the `ImportDataController`'s `importChannel` endpoint, the application receives a `DataSourceSqlParams` object from the user. - The code directly passes user-controlled `driverClassName` and `url` parameters to `DriverManagerDataSource` to establish a database connection. - Due to the lack of validation on JDBC URL and driver class name, attackers can exploit the following: 1. **Arbitrary File Read**: By specifying a MySQL driver and connecting to a malicious MySQL server controlled by the attacker, the attacker can leverage the MySQL protocol's `LOAD DATA LOCAL INFILE` feature to read and upload arbitrary local files (e.g., `/etc/passwd` or `C:/Windows/win.ini`). 2. **Remote Code Execution (RCE)**: If drivers such as H2 database, SQLite, or MySQL drivers vulnerable to deserialization attacks exist in the classpath, attackers can execute arbitrary system commands by crafting specific JDBC URLs (e.g., using H2's `RUNSCRIPT` command). - **Source**:  - **Submitter**: Saul1213 (UID 94577) - **Submission Date**: 2023-02-10 09:29 AM (12 days ago) - **Review Date**: 2023-02-21 10:11 PM (12 days later) - **Status**: Accepted - **VulDB Entry ID**: 2347320 - **Related Products and Vulnerability Details**: Dromara UJCMS 10.0.2 ImportDataController import-channel driverClassName/url injection - **Score**: 20