Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Authenticated operator can trigger it (PR:L), but staging rsjdbc.ini in tmpdir raises complexity (AC:H); RCE escapes the app component into the host, so S:C with full C/I/A impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
DataEase is an open source data visualization and analysis tool. Prior to 2.10.23, DataEase Redshift datasource connections can load attacker-controlled rsjdbc.ini configuration from System.getProperty("java.io.tmpdir"), setting socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext so com.amazon.redshift.Driver#connect, com.amazon.redshift.Driver#getJdbcIniFile, and com.amazon.redshift.util.ObjectFactory#instantiate execute a reflection-based remote code execution chain during a normal JDBC connection through io.dataease.datasource.type.Redshift. This issue is fixed in version 2.10.23.
AnalysisAI
Reflection-based remote code execution in DataEase before 2.10.23 lets an authenticated operator who can configure a Redshift datasource achieve arbitrary code execution on the server. The Redshift JDBC driver loads an attacker-controlled rsjdbc.ini from the system temp directory and honors a malicious socketFactory pointing at Spring's FileSystemXmlApplicationContext, turning a normal JDBC connection into a code-execution chain. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a low-privileged authenticated DataEase account (PR:L) capable of creating/configuring a Redshift datasource through io.dataease.datasource.type.Redshift; (2) an attacker-controlled rsjdbc.ini placed in the path returned by System.getProperty("java.io.tmpdir") on the DataEase server; and (3) that rsjdbc.ini setting socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext to trigger com.amazon.redshift.util.ObjectFactory#instantiate during connect. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:L/UI:N, all impacts High, subsequent-system impacts High) scores 9.0 Critical, but the qualitative signals matter more than the number: AC:H and AT:P mean the attack is not trivial or automatable - the attacker must both possess a low-privilege DataEase account able to create a Redshift datasource (PR:L) and stage a malicious rsjdbc.ini in the server's java.io.tmpdir. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged DataEase user who can add data sources plants a crafted rsjdbc.ini in the server's temp directory that sets socketFactory to Spring's FileSystemXmlApplicationContext referencing a malicious bean XML, then configures and tests a Redshift datasource. When DataEase opens the JDBC connection, the Redshift driver instantiates the Spring context via reflection and executes the attacker's code on the server. … |
| Remediation | Vendor-released patch: 2.10.23 - upgrade DataEase to 2.10.23 or later, which per the fix commit (3e58149f1e014b1a7ae2c12134b37ae438f676ac) hardens startup by setting AMAZON_REDSHIFT_JDBC_INI_FILE, user.home, and java.io.tmpdir to "null" so the Redshift driver no longer loads an attacker-controlled rsjdbc.ini. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all DataEase deployments in your environment and determine their current versions to assess exposure. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor m
Auth bypass in DataEase via CVE-2025-49001 patch evasion. PoC available.
Auth bypass in DataEase BI tool before 2.10.10.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
A remote code execution vulnerability in DataEase (CVSS 9.8). Risk factors: public PoC available.
DataEase data visualization tool prior to 2.10.19 uses MD5-hashed passwords without salting, allowing attackers to crack
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
DataEase is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization and analysis tool. Rated critical severity (CVSS 9.8), this vulnerability
Dataease is an open source data visualization analysis tool. Rated critical severity (CVSS 9.8), this vulnerability is r
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44775