Executive Summary

Informations
Name CVE-2022-39312 First vendor Publication 2022-10-25
Vendor Cve Last vendor Modification 2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Overall CVSS Score 9.8
Base Score 9.8 Environmental Score 9.8
impact SubScore 5.9 Temporal Score 9.8
Exploitabality Sub Score 3.9
 
Attack Vector Network Attack Complexity Low
Privileges Required None User Interaction None
Scope Unchanged Confidentiality Impact High
Integrity Impact High Availability Impact High
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score N/A Attack Range N/A
Cvss Impact Score N/A Attack Complexity N/A
Cvss Expoit Score N/A Authentication N/A
Calculate full CVSS 2.0 Vectors scores

Detail

Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In `backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java`, the `MysqlConfiguration` class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39312

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-502 Deserialization of Untrusted Data

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 4

Sources (Detail)

https://github.com/dataease/dataease/commit/956ee2d6c9e81349a60aef435efc04688...
https://github.com/dataease/dataease/pull/3328
https://github.com/dataease/dataease/releases/tag/v1.15.2
https://github.com/dataease/dataease/security/advisories/GHSA-q4qq-jhjv-7rh2
Source Url

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2025-03-29 03:10:05
  • Multiple Updates
2024-11-28 14:15:05
  • Multiple Updates
2022-10-29 00:27:19
  • Multiple Updates
2022-10-28 02:08:20
  • Multiple Updates
2022-10-28 02:08:06
  • Multiple Updates
2022-10-27 17:27:12
  • Multiple Updates
2022-10-25 21:27:11
  • First insertion