{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T19:43:13.770","vulnerabilities":[{"cve":{"id":"CVE-2022-39312","sourceIdentifier":"security-advisories@github.com","published":"2022-10-25T17:15:55.813","lastModified":"2024-11-21T07:18:00.703","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Dataease is an open source data visualization analysis tool. Dataease prior to 1.15.2 has a deserialization vulnerability. In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected. In `backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java`, the `MysqlConfiguration` class does not filter any parameters. If an attacker adds some parameters to a JDBC url and connects to a malicious mysql server, the attacker can trigger the mysql jdbc deserialization vulnerability. Through the deserialization vulnerability, the attacker can execute system commands and obtain server privileges. Version 1.15.2 contains a patch for this issue."},{"lang":"es","value":"Dataease es una herramienta de análisis de visualización de datos de código abierto. Dataease versiones anteriores a 1.15.2, presenta una vulnerabilidad de deserialización. En Dataease, la fuente de datos Mysql en la función de fuente de datos puede personalizar los parámetros de conexión JDBC y el objetivo del servidor Mysql a conectar. En \"backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java\", la clase \"MysqlConfiguration\" no filtra ningún parámetro. Si un atacante añade algunos parámetros a una url JDBC y es conectado a un servidor mysql malicioso, el atacante puede desencadenar una vulnerabilidad de deserialización mysql jdbc. Mediante una vulnerabilidad de deserialización, el atacante puede ejecutar comandos del sistema y obtener privilegios del servidor. La versión 1.15.2 contiene un parche para este problema"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-20"},{"lang":"en","value":"CWE-502"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-502"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*","versionEndExcluding":"1.15.2","matchCriteriaId":"118D387C-8D54-4649-B3A9-CD4DE706B423"}]}]}],"references":[{"url":"https://github.com/dataease/dataease/commit/956ee2d6c9e81349a60aef435efc046888e10a6d","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/dataease/dataease/pull/3328","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/dataease/dataease/releases/tag/v1.15.2","source":"security-advisories@github.com","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/dataease/dataease/security/advisories/GHSA-q4qq-jhjv-7rh2","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/dataease/dataease/commit/956ee2d6c9e81349a60aef435efc046888e10a6d","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/dataease/dataease/pull/3328","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/dataease/dataease/releases/tag/v1.15.2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Release Notes","Third Party Advisory"]},{"url":"https://github.com/dataease/dataease/security/advisories/GHSA-q4qq-jhjv-7rh2","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}