CVE-2024-47074— Dataease PostgreSQL Data Source JDBC Connection Parameters Not Verified Leads to Deserialization Vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-47074
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dataease PostgreSQL Data Source JDBC Connection Parameters Not Verified Leads to Deserialization Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
DataEase is an open source data visualization analysis tool. In Dataease, the PostgreSQL data source in the data source function can customize the JDBC connection parameters and the PG server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, PgConfiguration class don't filter any parameters, directly concat user input. So, if the attacker adds some parameters in JDBC url, and connect to evil PG server, the attacker can trigger the PG jdbc deserialization vulnerability, and eventually the attacker can execute through the deserialization vulnerability system commands and obtain server privileges. The vulnerability has been fixed in v1.18.25.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
DataEase 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
DataEase是DataEase开源的一个开源的数据可视化分析工具。用于帮助用户快速分析数据并洞察业务趋势,从而实现业务的改进与优化。 DataEase v1.18.25之前版本存在代码问题漏洞,该漏洞源于参数处理不当,如果攻击者在JDBC URL中添加某些参数并连接到恶意PG服务器,可能会导致系统命令执行和获得服务器权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-47074
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-47074
请登录查看更多情报信息。
- fix: pg jdbc 校验非法字符 · dataease/dataease@86eafc4 · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2024-47074
IV. Related Vulnerabilities
Same product: dataease
- CVE-2026-8724
Dataease Data Dashboard SqlparserUtils.java SqlparserUtils.t - CVE-2026-40901
DataEase: Quartz Deserialization → Remote Code Execution - CVE-2026-40900
DataEase has SQL Injection via Stacked Queries - CVE-2026-40899
DataEase has an Arbitrary File Read Vulnerability - CVE-2026-33207
DataEase SQL Injection Vulnerability
Same vendor: dataease
- CVE-2026-42463
SQLBot: Unauthorized Access Vulnerability - CVE-2026-33324
SQLBot prompt injection allows arbitrary SQL execution and r - CVE-2026-40901
DataEase: Quartz Deserialization → Remote Code Execution - CVE-2026-40900
DataEase has SQL Injection via Stacked Queries - CVE-2026-40899
DataEase has an Arbitrary File Read Vulnerability
Same weakness: CWE-502
- CVE-2026-44501
DataHub OIDC REDIRECT_URL Cookie Deserialization Vulnerabili - CVE-2026-1184
Deserialization of Untrusted Data in GitLab - CVE-2026-41957
BIG-IP and BIG-IQ Configuration utility vulnerability - CVE-2026-7635
coreActivity: Activity Logging for WordPress <= 3.0 - Unauth - CVE-2026-34659
Adobe Connect | Deserialization of Untrusted Data (CWE-502)
V. Comments for CVE-2024-47074
No comments yet