📄 Description (English)
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple string replacement without any sanitization or escaping of the table name. An authenticated attacker can inject arbitrary SQL commands by crafting a deTableName that breaks out of identifier quoting, enabling error-based SQL injection that can extract database information such as the MySQL version. This issue has been fixed in version 2.10.21.
🤖 AI Executive Summary
DataEase versions 2.10.20 and below contain a critical SQL injection vulnerability in the API datasource saving process that allows authenticated attackers to execute arbitrary SQL commands. The vulnerability exists in the deTableName field processing where Base64-encoded datasource configurations are used to construct DDL statements without proper sanitization. This enables attackers to extract sensitive database information and potentially compromise data integrity. Immediate patching to version 2.10.21 or later is strongly recommended for all Saudi organizations utilizing DataEase.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 03:11
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations in the following sectors: (1) Banking and Financial Services - DataEase deployments used for financial analytics and reporting could expose customer data and transaction information; (2) Government and Public Sector - agencies using DataEase for data visualization and analytics may have sensitive administrative and citizen data compromised; (3) Healthcare - hospitals and health authorities using DataEase for patient data analytics face HIPAA-equivalent compliance violations; (4) Energy Sector (ARAMCO and subsidiaries) - operational data and analytics systems could be compromised; (5) Telecommunications (STC, Mobily, Zain) - customer analytics and network data at risk; (6) Retail and E-commerce - customer behavioral data and transaction analytics vulnerable. The authenticated nature of the attack reduces immediate risk but is critical for insider threats and compromised account scenarios.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities (ARAMCO)
Telecommunications (STC, Mobily, Zain)
Retail and E-commerce
Insurance
Education and Research
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all DataEase instances in your environment running versions 2.10.20 or below
2. Restrict API access to datasource saving endpoints to trusted networks only
3. Implement network segmentation to isolate DataEase instances from critical systems
4. Review access logs for suspicious datasource configuration activities
5. Monitor database query logs for unusual DDL statements
PATCHING GUIDANCE:
1. Upgrade DataEase to version 2.10.21 or later immediately
2. Test patches in non-production environments first
3. Implement change management procedures for production deployments
4. Verify patch application by checking version numbers post-deployment
COMPENSATING CONTROLS (if patching delayed):
1. Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in API requests
2. Apply database-level access controls limiting DataEase service account privileges
3. Enable SQL query logging and alerting for suspicious DDL statements
4. Implement input validation at application layer for datasource configurations
5. Use database activity monitoring (DAM) solutions to detect anomalous queries
DETECTION RULES:
1. Monitor for Base64-encoded payloads containing SQL keywords (UNION, SELECT, DROP, CREATE) in deTableName field
2. Alert on DDL statements (CREATE, ALTER, DROP) originating from DataEase service accounts
3. Track failed SQL queries with syntax errors from DataEase connections
4. Monitor for multiple rapid API calls to datasource saving endpoints
5. Implement SIEM rules for error-based SQL injection patterns in database logs
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات DataEase في بيئتك التي تعمل بالإصدارات 2.10.20 أو أقدم
2. تقييد الوصول إلى نقاط نهاية حفظ مصدر البيانات للشبكات الموثوقة فقط
3. تنفيذ تقسيم الشبكة لعزل مثيلات DataEase عن الأنظمة الحرجة
4. مراجعة سجلات الوصول للأنشطة المريبة في تكوين مصدر البيانات
5. مراقبة سجلات استعلامات قاعدة البيانات للبيانات غير العادية
إرشادات التصحيح:
1. ترقية DataEase إلى الإصدار 2.10.21 أو أحدث فوراً
2. اختبار التصحيحات في بيئات غير الإنتاج أولاً
3. تنفيذ إجراءات إدارة التغيير لنشر الإنتاج
4. التحقق من تطبيق التصحيح بفحص أرقام الإصدار بعد النشر
الضوابط البديلة (إذا تأخر التصحيح):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط حقن SQL في طلبات API
2. تطبيق ضوابط الوصول على مستوى قاعدة البيانات لتحديد امتيازات حساب خدمة DataEase
3. تفعيل تسجيل استعلامات SQL والتنبيهات للبيانات غير العادية
4. تنفيذ التحقق من الإدخال على مستوى التطبيق لتكوينات مصدر البيانات
5. استخدام حلول مراقبة نشاط قاعدة البيانات (DAM) للكشف عن الاستعلامات الشاذة
قواعد الكشف:
1. مراقبة الحمولات المشفرة بـ Base64 التي تحتوي على كلمات مفتاحية SQL في حقل deTableName
2. التنبيه على بيانات DDL من حسابات خدمة DataEase
3. تتبع استعلامات SQL الفاشلة مع أخطاء بناء الجملة من اتصالات DataEase
4. مراقبة استدعاءات API المتعددة السريعة لنقاط نهاية حفظ مصدر البيانات
5. تنفيذ قواعد SIEM لأنماط حقن SQL القائمة على الأخطاء في سجلات قاعدة البيانات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 - 5.1.1: Access Control and Authentication
ECC 2024 - 5.2.1: Data Protection and Encryption
ECC 2024 - 5.3.1: Application Security
ECC 2024 - 5.4.1: Vulnerability Management
ECC 2024 - 5.5.1: Incident Response
🔵 SAMA CSF
SAMA CSF - Governance: Risk Management Framework
SAMA CSF - Protect: Access Control and Data Protection
SAMA CSF - Detect: Monitoring and Logging
SAMA CSF - Respond: Incident Response Procedures
🟡 ISO 27001:2022
ISO 27001:2022 - A.5.1: Policies for information security
ISO 27001:2022 - A.8.1: User endpoint devices
ISO 27001:2022 - A.8.2: Privileged access rights
ISO 27001:2022 - A.8.3: Information access restriction
ISO 27001:2022 - A.14.2: Development security
ISO 27001:2022 - A.14.3: Testing of information systems
🟣 PCI DSS v4.0.1
PCI DSS 4.1: Encryption of cardholder data in transit
PCI DSS 6.2: Security patches and updates
PCI DSS 6.5: Injection flaws prevention
PCI DSS 10.2: Logging and monitoring
🔗 References & Sources 3
🔗
https://github.com/dataease/dataease/releases/tag/v2.10.21
security-advisories@github.com
Release Notes
🔗
https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5
security-advisories@github.com
Exploit
Third Party Advisory
🔗
https://github.com/dataease/dataease/security/advisories/GHSA-fg4m-q7ch-jqv5
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
📦 Affected Products / CPE 1 entries
dataease:dataease