CVE-2025-32966
Dataease H2 JDBC Connection Remote Code Execution
In short
DataEase, a business intelligence tool, allows authenticated users to execute arbitrary code on the server through a malicious JDBC database connection. This means someone with login access can take complete control of the system.
Technical detail
Authenticated users can achieve remote code execution by crafting a malicious JDBC connection string in the backend database link configuration. The vulnerability exists in DataEase versions prior to 2.10.8 and requires valid authentication credentials as a precondition; successful exploitation grants arbitrary code execution on the server with application privileges.
Summary generated and translated by AI from the official description.
DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.8, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.8.
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Affected products
dataease · dataeaseWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →