CVE-2025-57772 (GCVE-0-2025-57772)
Vulnerability from cvelistv5
Published
2025-08-25 17:00
Modified
2025-08-25 20:36
Severity ?
8.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This bypasses H2's filtering logic and returns the H2 JDBC URL, allowing the "driver":"org.h2.Driver" to specify the H2 driver for the JDBC connection. The vulnerability has been fixed in version 2.10.12.
References
security-advisories@github.comhttps://github.com/dataease/dataease/commit/1644d81dff46272b09570fa1f4a8f83f01f37440Patch
security-advisories@github.comhttps://github.com/dataease/dataease/security/advisories/GHSA-v37q-vh67-9rqvThird Party Advisory, Exploit
Impacted products
Vendor Product Version
dataease dataease Version: < 2.10.12
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-57772",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-25T20:35:59.462237Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-25T20:36:07.604Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dataease",
          "vendor": "dataease",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.10.12"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This bypasses H2\u0027s filtering logic and returns the H2 JDBC URL, allowing the \"driver\":\"org.h2.Driver\" to specify the H2 driver for the JDBC connection. The vulnerability has been fixed in version 2.10.12."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-25T17:00:20.382Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dataease/dataease/security/advisories/GHSA-v37q-vh67-9rqv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dataease/dataease/security/advisories/GHSA-v37q-vh67-9rqv"
        },
        {
          "name": "https://github.com/dataease/dataease/commit/1644d81dff46272b09570fa1f4a8f83f01f37440",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dataease/dataease/commit/1644d81dff46272b09570fa1f4a8f83f01f37440"
        }
      ],
      "source": {
        "advisory": "GHSA-v37q-vh67-9rqv",
        "discovery": "UNKNOWN"
      },
      "title": "Dataease H2 JDBC RCE Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-57772",
    "datePublished": "2025-08-25T17:00:20.382Z",
    "dateReserved": "2025-08-19T15:16:22.918Z",
    "dateUpdated": "2025-08-25T20:36:07.604Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-57772\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-08-25T17:15:30.340\",\"lastModified\":\"2025-09-03T13:41:43.700\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This bypasses H2\u0027s filtering logic and returns the H2 JDBC URL, allowing the \\\"driver\\\":\\\"org.h2.Driver\\\" to specify the H2 driver for the JDBC connection. The vulnerability has been fixed in version 2.10.12.\"},{\"lang\":\"es\",\"value\":\"DataEase es una herramienta de c\u00f3digo abierto para inteligencia empresarial y visualizaci\u00f3n de datos. Antes de la versi\u00f3n 2.10.12, DataEase inclu\u00eda una omisi\u00f3n de RCE JDBC H2. Si la URL JDBC cumple los criterios, se devuelve el m\u00e9todo getJdbcUrl, que act\u00faa como captador del par\u00e1metro JdbcUrl proporcionado. Esto omite la l\u00f3gica de filtrado de H2 y devuelve la URL JDBC H2, lo que permite que \\\"driver\\\":\\\"org.h2.Driver\\\" especifique el controlador H2 para la conexi\u00f3n JDBC. Esta vulnerabilidad se ha corregido en la versi\u00f3n 2.10.12.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.10.12\",\"matchCriteriaId\":\"F085F6E0-34D5-42CB-8C24-272C9DDDCFCA\"}]}]}],\"references\":[{\"url\":\"https://github.com/dataease/dataease/commit/1644d81dff46272b09570fa1f4a8f83f01f37440\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/dataease/dataease/security/advisories/GHSA-v37q-vh67-9rqv\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\",\"Exploit\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-57772\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-25T20:35:59.462237Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-25T20:36:03.556Z\"}}], \"cna\": {\"title\": \"Dataease H2 JDBC RCE Bypass\", \"source\": {\"advisory\": \"GHSA-v37q-vh67-9rqv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"dataease\", \"product\": \"dataease\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.10.12\"}]}], \"references\": [{\"url\": \"https://github.com/dataease/dataease/security/advisories/GHSA-v37q-vh67-9rqv\", \"name\": \"https://github.com/dataease/dataease/security/advisories/GHSA-v37q-vh67-9rqv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/dataease/dataease/commit/1644d81dff46272b09570fa1f4a8f83f01f37440\", \"name\": \"https://github.com/dataease/dataease/commit/1644d81dff46272b09570fa1f4a8f83f01f37440\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This bypasses H2\u0027s filtering logic and returns the H2 JDBC URL, allowing the \\\"driver\\\":\\\"org.h2.Driver\\\" to specify the H2 driver for the JDBC connection. The vulnerability has been fixed in version 2.10.12.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-08-25T17:00:20.382Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-57772\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-25T20:36:07.604Z\", \"dateReserved\": \"2025-08-19T15:16:22.918Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-08-25T17:00:20.382Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.