SB2026041645 - Multiple vulnerabilities in DataEase

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2025-62422)

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to SQL injection in the /de2api/datasetData/tableField interface when handling a crafted tableName parameter. A remote user can send a specially crafted request to execute arbitrary SQL commands.

Exploitation requires access to the vulnerable interface and the ability to supply the tableName parameter.

2) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CVE-ID: CVE-2025-62421)

The vulnerability allows a remote user to execute arbitrary script in a user's browser.

The vulnerability exists due to improper access control in the StaticResourceApi upload route when handling crafted file upload requests that use a whitelisted script-like path. A remote user can upload a crafted HTML file and access it through a path ending in a permitted extension to execute arbitrary script in a user's browser.

3) Improper input validation (CVE-ID: CVE-2025-62420)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper input validation in the getJdbc function in H2.java when handling datasource validation requests. A remote attacker can send a specially crafted request to execute arbitrary code.

The issue arises because the check validates that jdbcUrl starts with "jdbc:h2" while the actual connection URL is taken from the separate jdbc field, allowing use of an arbitrary JDBC driver and connection URL.

4) Improper input validation (CVE-ID: CVE-2025-62419)

The vulnerability allows a remote user to trigger outbound requests to an attacker-controlled server.

The vulnerability exists due to improper input validation in the db2 and Mongo data source JDBC URL construction logic when processing user-supplied connection parameters. A remote user can supply a malicious JDBC string in the hostname field to trigger outbound requests to an attacker-controlled server.

The issue is triggered when the Get Schema function processes a data source configuration with empty extraParams.

Remediation

Install update from vendor's website.

References

• https://github.com/dataease/dataease/security/advisories/GHSA-54m5-xrw4-mv36
• https://github.com/advisories/GHSA-54m5-xrw4-mv36
• https://github.com/dataease/dataease/security/advisories/GHSA-2wmv-rr3p-pf43
• https://github.com/advisories/GHSA-2wmv-rr3p-pf43
• https://github.com/dataease/dataease/security/advisories/GHSA-7wcv-j6gc-qc7q
• https://github.com/dataease/dataease/security/advisories/GHSA-x4x9-mjcf-99r9