#VU126334 Improper input validation in DataEase - CVE-2025-27103
Published: March 13, 2025 / Updated: April 16, 2026
Vulnerability identifier: #VU126334
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-27103
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
DataEase
DataEase
Software vendor:
DataEase
DataEase
Description
The vulnerability allows a remote user to read arbitrary files.
The vulnerability exists due to improper input validation in the Mysql JDBC connection configuration when constructing and using JDBC connection strings with encoded connection parameters. A remote user can supply a specially crafted JDBC URL or extra parameters to read arbitrary files.
The issue can be exploited after logging in through the background JDBC connection, and the advisory states that arbitrary files can also be deserialized.
Remediation
Install security update from vendor's website.