TROYANOSYVIRUS
Voltar para CVEs

CVE-2026-32939

HIGH
8.1

Descricao

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.

Detalhes CVE

Pontuacao CVSS v3.18.1
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado3/20/2026
Ultima modificacao3/23/2026
Fontenvd
Avistamentos honeypot0

Produtos afetados

dataease:dataease

Fraquezas (CWE)

CWE-178

Referencias

https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d(security-advisories@github.com)
https://github.com/dataease/dataease/releases/tag/v2.10.20(security-advisories@github.com)
https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qq(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.