GMS-2022-5474: Improper Neutralization

October 18, 2022

Improper Neutralization in io.dataease:dataease-plugin-common. If an attacker can add some parameters in JDBC url, and connect to evil mysql server, they can trigger the mysql jdbc deserialization vulnerability, and eventually the attacker can execute through the deserialization vulnerability system commands and obtain server privileges.

References

github.com/advisories/GHSA-q4qq-jhjv-7rh2
github.com/dataease/dataease/security/advisories/GHSA-q4qq-jhjv-7rh2

Detect and mitigate GMS-2022-5474 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →