CVE-2025-57772

High CVSS: 8.2

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This bypasses H2's filtering logic and returns the H2 JDBC URL, allowing the "driver":"org.h2.Driver" to specify the H2 driver for the JDBC connection. The vulnerability has been fixed in version 2.10.12.

Vendor

Dataease

Product

Dataease

CWE

CWE-94

Yayın Tarihi

2025-08-25 17:15:30

Güncelleme

2025-09-03 13:41:43

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-94 Dataease HIGH Dataease 2025

Referanslar

https://github.com/dataease/dataease/commit/1644d81dff46272b09570fa1f4a8f83f01f37440 https://github.com/dataease/dataease/security/advisories/GHSA-v37q-vh67-9rqv

Benzer Kayıtlar

High

CVE-2026-32939

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handlin…

Critical

CVE-2026-32137

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasourc…

Medium

CVE-2026-32139

Dataease is an open source data visualization analysis tool. In DataEase 2.10.19 and earlier, the static resource upload…

Critical

CVE-2026-32140

Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an…

High

CVE-2026-23958

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the…

High

CVE-2025-64428

Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection.…