Unrated severityNVD Advisory· Published Jun 3, 2025· Updated Jun 4, 2025
Dataease Redshift Data Source JDBC Connection Parameters Not Verified Leads to RCE Vulnerability
CVE-2025-48999
Description
DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, getUrlType() retrieves hostName. Since the judgment statement returns false, it will not enter the if statement and will not be filtered. The payload can be directly concatenated at the replace location to construct a malicious JDBC statement. Version 2.10.10 contains a patch for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/dataease/dataease/commit/03b18db8a0fb7e9dc2c44f6d26d8c6221b7748c4mitrex_refsource_MISC
- github.com/dataease/dataease/security/advisories/GHSA-6pq2-6q8x-mp2rmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.