📄 Description (English)
DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint. The user-supplied SQL is wrapped in a subquery without validation that the input is a single SELECT statement. Combined with the JDBC blocklist bypass that allows enabling allowMultiQueries=true, an attacker can break out of the subquery and execute arbitrary stacked SQL statements, including UPDATE and other write operations, against the connected database. An authenticated attacker with access to valid datasource credentials can achieve full read and write access to the underlying database. This issue has been fixed in version 2.10.21.
🤖 AI Executive Summary
DataEase versions 2.10.20 and below contain a critical SQL injection vulnerability in the /de2api/datasetData/previewSql endpoint that allows authenticated attackers to execute arbitrary SQL statements including write operations against connected databases. The vulnerability exploits insufficient input validation combined with JDBC blocklist bypass techniques. Organizations using DataEase for analytics and reporting face immediate risk of data breach and database compromise.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 11:47
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations in financial services (banking sector under SAMA oversight), government agencies (NCA, GOSI, MOH), energy sector (ARAMCO, SEC), and telecommunications (STC, Mobily) that deploy DataEase for business intelligence and analytics face critical risk. The vulnerability enables authenticated insiders or compromised accounts to exfiltrate sensitive financial data, personal information, and operational intelligence. Government entities processing classified or sensitive national data are particularly vulnerable. The ability to execute write operations poses additional risk of data manipulation and integrity compromise.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Insurance
Education
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1589 - Gather Victim Identity Information
T1213 - Data from Information Repositories
T1020 - Automated Exfiltration
T1565 - Data Manipulation
T1565.001 - Data Manipulation: Stored Data Manipulation
T1110 - Brute Force
T1078 - Valid Accounts
T1078.001 - Valid Accounts: Default Accounts
T1087 - Account Discovery
T1005 - Data from Local System
T1041 - Exfiltration Over C2 Channel
⚖️ Saudi Risk Score (AI)
8.9
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all DataEase instances in your environment and document their version numbers
2. Restrict network access to DataEase API endpoints, particularly /de2api/datasetData/previewSql, using firewall rules and WAF policies
3. Review and audit all DataEase user accounts and datasource credentials; revoke unnecessary access
4. Enable comprehensive logging and monitoring of all SQL queries executed through DataEase
5. Implement database activity monitoring (DAM) to detect anomalous SQL patterns
PATCHING GUIDANCE:
1. Upgrade to DataEase version 2.10.21 or later immediately when available
2. If immediate patching is not possible, implement input validation at the application layer to reject multi-statement SQL queries
3. Disable allowMultiQueries parameter in JDBC connection strings if not required for legitimate operations
4. Apply principle of least privilege to DataEase service accounts - use read-only database credentials where possible
COMPENSATING CONTROLS:
1. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in /de2api/datasetData/previewSql requests
2. Deploy database-level query restrictions using stored procedures and parameterized queries
3. Enable database encryption at rest and in transit
4. Implement multi-factor authentication for all DataEase administrative accounts
5. Segment DataEase infrastructure from critical production databases using network isolation
DETECTION RULES:
1. Monitor for SQL keywords (UNION, DROP, INSERT, UPDATE, DELETE, EXEC) in /de2api/datasetData/previewSql POST parameters
2. Alert on multiple SQL statements in single API request (semicolon-separated queries)
3. Track failed authentication attempts followed by successful API calls
4. Monitor for unusual database write operations originating from DataEase service accounts
5. Log and alert on changes to JDBC connection parameters, especially allowMultiQueries modifications
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات DataEase في بيئتك وقم بتوثيق أرقام إصداراتها
2. قيد الوصول إلى نقاط نهاية DataEase API، خاصة /de2api/datasetData/previewSql، باستخدام قواعد جدار الحماية وسياسات WAF
3. راجع وتدقيق جميع حسابات مستخدمي DataEase وبيانات اعتماد مصدر البيانات؛ إلغاء الوصول غير الضروري
4. تفعيل السجلات الشاملة والمراقبة لجميع استعلامات SQL المنفذة من خلال DataEase
5. تنفيذ مراقبة نشاط قاعدة البيانات (DAM) للكشف عن أنماط SQL الشاذة
إرشادات التصحيح:
1. قم بالترقية إلى إصدار DataEase 2.10.21 أو أحدث فوراً عند توفره
2. إذا لم يكن التصحيح الفوري ممكناً، قم بتنفيذ التحقق من المدخلات على مستوى التطبيق لرفض استعلامات SQL متعددة الجمل
3. عطل معامل allowMultiQueries في سلاسل اتصال JDBC إذا لم تكن مطلوبة للعمليات المشروعة
4. طبق مبدأ أقل امتياز على حسابات خدمة DataEase - استخدم بيانات اعتماد قاعدة البيانات للقراءة فقط حيث أمكن
الضوابط التعويضية:
1. تنفيذ قواعد جدار تطبيقات الويب (WAF) لحظر أنماط حقن SQL في طلبات /de2api/datasetData/previewSql
2. نشر قيود الاستعلام على مستوى قاعدة البيانات باستخدام الإجراءات المخزنة والاستعلامات المعاملة
3. تفعيل تشفير قاعدة البيانات أثناء الراحة والنقل
4. تنفيذ المصادقة متعددة العوامل لجميع حسابات إدارة DataEase
5. فصل بنية DataEase عن قواعد البيانات الإنتاجية الحرجة باستخدام العزل الشبكي
قواعد الكشف:
1. مراقبة كلمات مفاتيح SQL (UNION, DROP, INSERT, UPDATE, DELETE, EXEC) في معاملات POST /de2api/datasetData/previewSql
2. تنبيه على عمليات SQL متعددة في طلب API واحد (استعلامات مفصولة بفاصلة منقوطة)
3. تتبع محاولات المصادقة الفاشلة متبوعة بنداءات API الناجحة
4. مراقبة عمليات كتابة قاعدة البيانات غير العادية التي تنشأ من حسابات خدمة DataEase
5. تسجيل والتنبيه على التغييرات في معاملات اتصال JDBC، خاصة تعديلات allowMultiQueries
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.6.2.2 - User Access Provisioning
A.7.1.1 - Cryptography Policy
A.8.1.1 - Audit Logging
A.8.2.1 - Protection of Log Information
A.9.1.1 - Event Detection
A.9.2.1 - Security Event Escalation
A.10.1.1 - Vulnerability Management
🔵 SAMA CSF
Governance (GV) - GV-1: Organizational Context and Objectives
Governance (GV) - GV-2: Information Security Strategy
Identify (ID) - ID-1: Asset Management
Identify (ID) - ID-2: Business Environment
Protect (PR) - PR-1: Access Control
Protect (PR) - PR-2: Data Security
Protect (PR) - PR-3: Technology Infrastructure
Detect (DE) - DE-1: Detection Processes
Respond (RS) - RS-1: Response Planning
Recover (RC) - RC-1: Recovery Planning
🟡 ISO 27001:2022
5.1 - Policies for information security
5.3 - Segregation of duties
6.1 - Screening
6.2 - Terms and conditions of employment
6.5 - Access rights
7.1 - Cryptography
8.1 - User endpoint devices
8.2 - Privileged access rights
8.3 - Information access restriction
8.22 - Monitoring
8.23 - Web filtering
8.24 - Use of cryptography
8.28 - Secure coding
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Injection flaws prevention
Requirement 8 - Identify and authenticate access
Requirement 10 - Track and monitor access to network resources
🔗 References & Sources 3
🔗
https://github.com/dataease/dataease/releases/tag/v2.10.21
security-advisories@github.com
Release Notes
🔗
https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx
security-advisories@github.com
Exploit
Third Party Advisory
🔗
https://github.com/dataease/dataease/security/advisories/GHSA-vqxf-84ph-j3vx
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Third Party Advisory
📦 Affected Products / CPE 1 entries
dataease:dataease