216.73.217.22

CVE-2025-62419

· Published 17/10/2025 18:15 · Modified 17/10/2025 18:15

Labels: CVE-2025-62419 2025-10-17CVE-2025-62419CWE-502[email protected]

Essential information

Published
17/10/2025 18:15
Modified
17/10/2025 18:15
Author
Creator
CVSS
8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

DataEase is a data visualization and analytics platform. In DataEase versions through 2.10.13, a JDBC URL injection vulnerability exists in the DB2 and MongoDB data source configuration handlers. In the DB2 data source handler, when the extraParams field is empty, the HOSTNAME, PORT, and DATABASE values are directly concatenated into the JDBC URL without filtering illegal parameters. This allows an attacker to inject a malicious JDBC string into the HOSTNAME field to bypass previously patched vulnerabilities CVE-2025-57773 and CVE-2025-58045. The vulnerability is fixed in version 2.10.14. No known workarounds exist.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dataease / dataease cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

References