Dataease Mysql Data Source JDBC Connection Parameters Not Verified Leads to Deserialization Vulnerability
Description
Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, the MysqlConfiguration class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.dataease:dataease-plugin-commonMaven | < 1.15.2 | 1.15.2 |
Affected products
1Patches
1956ee2d6c9e8fix(数据源): Mysql jdbc反序列化漏洞
1 file changed · +12 −2
backend/src/main/java/io/dataease/dto/datasource/MysqlConfiguration.java+12 −2 modified@@ -5,20 +5,30 @@ import lombok.Setter; import org.apache.commons.lang3.StringUtils; +import java.util.Arrays; +import java.util.List; + @Getter @Setter public class MysqlConfiguration extends JdbcConfiguration { private String driver = "com.mysql.jdbc.Driver"; private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull"; + private List<String> illegalParameters = Arrays.asList("autoDeserialize", "queryInterceptors", "statementInterceptors", "detectCustomCollations"); public String getJdbc() { - if(StringUtils.isEmpty(extraParams.trim())){ + if (StringUtils.isEmpty(extraParams.trim())) { return "jdbc:mysql://HOSTNAME:PORT/DATABASE" .replace("HOSTNAME", getHost().trim()) .replace("PORT", getPort().toString().trim()) .replace("DATABASE", getDataBase().trim()); - }else { + } else { + for (String illegalParameter : illegalParameters) { + if (getExtraParams().contains(illegalParameter)) { + throw new RuntimeException("Illegal parameter: " + illegalParameter); + } + } + return "jdbc:mysql://HOSTNAME:PORT/DATABASE?EXTRA_PARAMS" .replace("HOSTNAME", getHost().trim()) .replace("PORT", getPort().toString().trim())
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-q4qq-jhjv-7rh2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-39312ghsaADVISORY
- github.com/dataease/dataease/commit/956ee2d6c9e81349a60aef435efc046888e10a6dghsaWEB
- github.com/dataease/dataease/pull/3328ghsaWEB
- github.com/dataease/dataease/releases/tag/v1.15.2ghsaWEB
- github.com/dataease/dataease/security/advisories/GHSA-q4qq-jhjv-7rh2ghsaWEB
News mentions
0No linked articles in our index yet.