SB2026041644 - Multiple vulnerabilities in DataEase

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2025-48999)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in the Redshift data source JDBC connection parameter handling when constructing a JDBC connection string from user-supplied host input. A remote user can supply crafted JDBC connection parameters to execute arbitrary code.

The issue is a bypass of a previous fix and relies on malicious JDBC parameters being concatenated into the constructed connection string.

2) Improper input validation (CVE-ID: CVE-2025-48998)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper input validation in the JDBC connection string construction logic when handling datasource validation requests. A remote user can supply a specially crafted host value to inject malicious JDBC parameters and disclose sensitive information.

The issue affects the MySQL datasource configuration path when urlType is set to hostName.

3) Improper access control (CVE-ID: CVE-2025-49002)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in the /de2api/datasource/validate endpoint when handling crafted H2 JDBC connection strings. A remote user can send a specially crafted request with a forged token and malicious JDBC URL to execute arbitrary code.

The issue can be exploited by bypassing the case-sensitive prohibition of INIT and RUNSCRIPT, and code execution occurs even when secret verification fails because the application still proceeds to establish the JDBC connection.

4) Improper Authentication (CVE-ID: CVE-2025-49001)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper authentication in TokenFilter.java and CommunityTokenFilter.java when handling requests with a crafted X-DE-TOKEN header. A remote attacker can send a specially crafted JWT token to bypass authentication.

The issue occurs because the token is decoded to extract uid and oid without verifying its legitimacy, and processing continues through the filter chain even after token signature verification fails.

Remediation

Install update from vendor's website.

References

• https://github.com/dataease/dataease/security/advisories/GHSA-6pq2-6q8x-mp2r
• https://github.com/advisories/GHSA-6pq2-6q8x-mp2r
• https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692
• https://github.com/advisories/GHSA-2wfc-qwx7-w692
• https://github.com/dataease/dataease/security/advisories/GHSA-999m-jv2p-5h34
• https://github.com/dataease/dataease
• https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r