Skip to content

SQL injection risk exists, the keyword blacklist for defending against SQL injection will be bypassed

High
fit2cloudrd published GHSA-7j7j-9rw6-3r56 Mar 24, 2023

Package

maven io.dataease (Maven)

Affected versions

<= 1.18.4

Patched versions

1.18.5

Description

Impact

sql writing irregularities lead to SQL injection, the keyword blacklist for defending SQL injection is missing, you can use methods other than the blacklist for injection.

interface: /api/sys_msg/list/1/10
vulnerability parameter: orders

  1. sql error after inserting single quotes
    image

  2. src/main/java/io/dataease/ext/ExtSysMsgMapper.xml uses '$' for SQL splicing in orderByClause, which leads to injection, and several other xml also use ' $' for splicing
    image

  3. View the keyword blacklist for defending against SQL injection in src/main/java/io/dataease/commons/wrapper/XssAndSqlHttpServletRequestWrapper.java
    image

  4. In the error reporting injection, you can also use functions such as GTID_SUBSET to bypass the blacklist, maintaining the blacklist is easy to have a leak
    image

Affected versions: <= 1.18.4

Patches

The vulnerability has been fixed in v1.18.5.

Workarounds

It is recommended to upgrade the version to v1.18.5.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com

Severity

High

CVE ID

CVE-2023-28437

Weaknesses

No CWEs

Credits