📄 Description (English)
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the orderDirection parameter used in dataset-related endpoints including /de2api/datasetData/enumValueDs and /de2api/datasetTree/exportDataset. The Order2SQLObj class directly assigns the raw user-supplied orderDirection value into the SQL query without any validation or whitelist enforcement, and the value is rendered into the ORDER BY clause via StringTemplate before being executed against the database. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field, enabling time-based blind data extraction and denial of service. This issue has been fixed in version 2.10.21.
🤖 AI Executive Summary
DataEase versions 2.10.20 and below contain a critical SQL injection vulnerability in the orderDirection parameter affecting dataset endpoints. An authenticated attacker can inject arbitrary SQL commands through the sorting direction field to extract sensitive data or cause denial of service. This vulnerability is actively exploitable and requires immediate patching to version 2.10.21 or implementation of compensating controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 03:11
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using DataEase for business intelligence and analytics face significant risk, particularly in banking sector (SAMA-regulated institutions), government agencies (NCA oversight), healthcare organizations managing patient data, and energy sector analytics platforms. The authenticated nature of the attack limits exposure to internal users, but compromised credentials or insider threats could enable data exfiltration of financial records, operational intelligence, and sensitive analytics. Organizations in the financial services sector regulated by SAMA are at highest risk due to data sensitivity requirements.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare
Energy and Utilities
Telecommunications
Insurance
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all DataEase instances in your environment running versions 2.10.20 or below
2. Restrict access to affected endpoints (/de2api/datasetData/enumValueDs, /de2api/datasetTree/exportDataset) to trusted users only
3. Enable comprehensive audit logging for all database queries and API requests to these endpoints
4. Monitor for suspicious SQL patterns in orderDirection parameters (keywords: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, EXEC, SCRIPT)
PATCHING GUIDANCE:
1. Upgrade to DataEase version 2.10.21 or later immediately
2. Test patches in non-production environment first
3. Plan maintenance window with minimal business impact
4. Verify patch application by checking version number post-deployment
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in orderDirection parameter
2. Apply input validation at application layer: whitelist only 'ASC' and 'DESC' values for orderDirection
3. Use database user accounts with minimal privileges (read-only where possible)
4. Implement rate limiting on affected endpoints
5. Enable SQL query logging and alerting for suspicious patterns
DETECTION RULES:
1. Monitor for orderDirection parameters containing: UNION, SELECT, DROP, INSERT, UPDATE, DELETE, EXEC, SCRIPT, OR, AND, SLEEP, BENCHMARK
2. Alert on multiple failed database queries from same user session
3. Track unusual data extraction patterns (large result sets from analytics endpoints)
4. Monitor for time-based blind SQL injection indicators (delayed response times on API calls)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات DataEase في بيئتك التي تعمل بالإصدارات 2.10.20 أو أقدم
2. قيد الوصول إلى نقاط النهاية المتأثرة إلى المستخدمين الموثوقين فقط
3. فعّل تسجيل التدقيق الشامل لجميع استعلامات قاعدة البيانات وطلبات API
4. راقب الأنماط المريبة في معاملات orderDirection
إرشادات التصحيح:
1. قم بالترقية إلى DataEase الإصدار 2.10.21 أو أحدث فوراً
2. اختبر التصحيحات في بيئة غير الإنتاج أولاً
3. خطط نافذة الصيانة بأقل تأثير على الأعمال
4. تحقق من تطبيق التصحيح بعد النشر
الضوابط التعويضية (إذا لم يكن التصحيح الفوري ممكناً):
1. طبق قواعد جدار حماية تطبيقات الويب لحجب أنماط حقن SQL
2. طبق التحقق من الإدخال: قائمة بيضاء فقط لقيم 'ASC' و 'DESC'
3. استخدم حسابات قاعدة البيانات بأقل امتيازات
4. طبق تحديد معدل على نقاط النهاية المتأثرة
5. فعّل تسجيل استعلامات SQL والتنبيهات
قواعد الكشف:
1. راقب معاملات orderDirection التي تحتوي على كلمات مفتاحية SQL
2. نبّه على استعلامات قاعدة البيانات الفاشلة المتعددة
3. تتبع أنماط استخراج البيانات غير العادية
4. راقب مؤشرات حقن SQL العمياء المستندة إلى الوقت
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for system development and maintenance
ECC 2024 A.14.2.5 - Secure development policy
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.BE-3.2 - Organizational roles, responsibilities, and authorities are established
SAMA CSF PR.DS-6 - Data is protected from unauthorized access and corruption
SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events
🟡 ISO 27001:2022
ISO 27001:2022 A.8.1 - Organizational controls for information security
ISO 27001:2022 A.14.2.1 - Secure development policy and procedures
ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure that all system components and software are protected from known vulnerabilities
PCI DSS 6.5.1 - Injection flaws (such as SQL injection)
🔗 References & Sources 3
🔗
https://github.com/dataease/dataease/releases/tag/v2.10.21
security-advisories@github.com
Release Notes
🔗
https://github.com/dataease/dataease/security/advisories/GHSA-f443-95cf-m837
security-advisories@github.com
Exploit
Third Party Advisory
🔗
https://github.com/dataease/dataease/security/advisories/GHSA-f443-95cf-m837
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
📦 Affected Products / CPE 1 entries
dataease:dataease