Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.
AnalysisAI
DataEase versions 2.10.19 and below contain a locale-dependent validation bypass vulnerability that allows attackers to smuggle dangerous JDBC parameters past security filters. The flaw stems from inconsistent locale handling where DataEase's validation uses the JVM default locale while H2 JDBC always uses English locale, causing Turkish locale environments to misinterpret malicious parameters like 'iNIT' (bypassing blacklist as 'İNIT' while H2 executes it as 'INIT'). This has been confirmed as exploitable in real deployment scenarios and enables authenticated attackers with low privileges to achieve high-impact code execution or data access, though there is no evidence yet of active exploitation or public proof-of-concept.
Technical ContextAI
This vulnerability affects DataEase, an open-source data visualization platform written in Java that uses H2 JDBC for database connectivity. The root cause is CWE-178 (Improper Handling of Case Sensitivity), specifically a locale inconsistency issue. DataEase's security validation uses String.toUpperCase() without an explicit locale parameter, defaulting to the JVM runtime locale, while the H2 JDBC driver consistently normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java's case conversion rules differ significantly from English—the lowercase 'i' becomes 'İ' (dotted capital I) rather than 'I'. This creates a dangerous discrepancy where malicious JDBC parameters can be crafted to appear benign to DataEase's blacklist filter but still be executed as dangerous commands by the underlying H2 database engine. The affected product according to EUVD is dataease versions prior to 2.10.20.
RemediationAI
Upgrade DataEase to version 2.10.20 or later, which contains the fix for this locale-handling vulnerability as documented in the release notes at https://github.com/dataease/dataease/releases/tag/v2.10.20 and commit 8f1c21834a620d37dafb3fa24605c059d0a5b80d at https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d. Organizations unable to immediately upgrade and running DataEase in Turkish or similar locale environments should consider temporarily switching the JVM default locale to English (en_US) using the -Duser.language=en and -Duser.country=US JVM parameters, though this is a workaround and not a complete security solution. Additionally, restrict network access to DataEase instances to trusted IP ranges and implement strict authentication controls to minimize the low-privilege requirement for exploitation. Consult the GitHub security advisory at https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qq for complete vendor guidance.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-178 – Improper Handling of Case Sensitivity
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13525