5 matches found
CVE-2025-62419 DataEase vulnerable to JDBC URL injection in DB2 and MongoDB data source configuration
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE...
CVE-2025-62419 DataEase vulnerable to JDBC URL injection in DB2 and MongoDB data source configuration
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE...
CVE-2025-62420 DataEase vulnerable to remote code execution via H2 JDBC driver bypass
DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual...
CVE-2025-58748 Dataease H2 data source JDBC URL validation bypass leads to remote code execution
Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12 the H2 data source implementation H2.java does not verify that a provided JDBC URL starts with jdbc:h2. This lack of validation allows a crafted JDBC configuration that substitutes the Amazon...
CVE-2025-58748
CVE-2025-58748 affects DataEase up to version 2.10.12, where the H2 data source (H2.java) does not validate that a JDBC URL starts with jdbc:h2 . This enables a crafted configuration to substitute the Amazon Redshift driver and leverage socketFactory/socketFactoryArg to trigger a remote XML resou...