الثغرات ›

CVE-2026-40901

مرتفع ⚡ اختراق متاح

CWE-502 — نوع الضعف

                    نُشر: Apr 16, 2026                      ·  آخر تحديث: Apr 23, 2026                      ·  المصدر: NVD                

CVSS v3

8.8

🔗 NVD الرسمي

📄 الوصف (الإنجليزية)

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below ship the legacy velocity-1.7.jar, which pulls in commons-collections-3.2.1.jar containing the InvokerTransformer deserialization gadget chain. Quartz 2.3.2, also bundled in the application, deserializes job data BLOBs from the qrtz_job_details table using ObjectInputStream with no deserialization filter or class allowlist. An authenticated attacker who can write to the Quartz job table, such as through the previously described SQL injection in previewSql, can replace a scheduled job's JOB_DATA with a malicious CommonsCollections6 gadget chain payload. When the Quartz cron trigger fires, the payload is deserialized and executes arbitrary commands as root inside the container, achieving full remote code execution. This issue has been fixed in version 2.10.21.

🤖 ملخص AI

DataEase versions 2.10.20 and below contain a critical remote code execution vulnerability through unsafe Java deserialization in Quartz job scheduling. An authenticated attacker exploiting SQL injection can inject malicious serialized gadget chains into job data, achieving arbitrary command execution as root when scheduled jobs trigger. This vulnerability chains multiple weaknesses (CWE-502 deserialization, SQL injection, missing input validation) and is actively exploitable with public proof-of-concept code available.

📄 الوصف (العربية)

🤖 التحليل الذكي آخر تحليل: Apr 23, 2026 11:48

🇸🇦 التأثير على المملكة العربية السعودية

Saudi organizations using DataEase for business intelligence and analytics face critical risk, particularly in: (1) Banking sector (SAMA-regulated institutions) storing sensitive financial data and customer information; (2) Government agencies (NCA oversight) using DataEase for reporting and decision support; (3) Energy sector (ARAMCO, utilities) relying on analytics for operational monitoring; (4) Healthcare institutions managing patient data; (5) Telecommunications (STC, Mobily) analyzing network and customer data. Full system compromise as root enables data exfiltration, lateral movement to connected systems, and supply chain attacks through compromised analytics infrastructure.

🏢 القطاعات السعودية المتأثرة

Banking and Financial Services Government and Public Administration Energy and Utilities Healthcare Telecommunications Insurance Retail and E-commerce

🎯 تقنيات MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution T1083 - File and Directory Discovery T1005 - Data from Local System T1041 - Exfiltration Over C2 Channel T1021 - Remote Services (lateral movement post-compromise) T1547 - Boot or Logon Autostart Execution (persistence)

⚖️ درجة المخاطر السعودية (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all DataEase instances in your environment (check ports 8080, 8081, custom ports) and document versions

2. Restrict network access to DataEase to authorized users only; implement network segmentation

3. Review Quartz job_details table for suspicious JOB_DATA entries (look for serialized Java objects, base64-encoded gadget chains)

4. Monitor application logs for deserialization errors, ClassNotFoundException, or unexpected job executions

5. Audit database access logs for SQL injection attempts targeting qrtz_job_details table

PATCHING GUIDANCE:

1. Upgrade immediately to DataEase 2.10.21 or later (patch available)

2. If upgrade not immediately possible, apply these compensating controls:

- Disable Quartz job scheduling if not required for operations

- Implement database-level access controls restricting writes to qrtz_* tables

- Apply input validation/WAF rules blocking SQL injection patterns in previewSql parameter

DETECTION RULES:

1. Monitor for SQL injection attempts: SELECT/UPDATE statements targeting qrtz_job_details with encoded payloads

2. Alert on deserialization exceptions in DataEase logs containing 'InvokerTransformer', 'CommonsCollections', 'ObjectInputStream'

3. Monitor process execution from DataEase container for unexpected child processes or shell commands

4. Track database modifications to qrtz_job_details outside normal application workflows

5. IDS/IPS signatures: Look for CommonsCollections6 gadget chain patterns in HTTP POST bodies to /api/preview endpoints

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع مثيلات DataEase في بيئتك وتوثيق الإصدارات

2. تقييد الوصول الشبكي إلى DataEase للمستخدمين المصرح لهم فقط

3. مراجعة جدول job_details للبحث عن إدخالات JOB_DATA المريبة

4. مراقبة سجلات التطبيق لأخطاء فك التسلسل والتنفيذ غير المتوقع

5. تدقيق سجلات الوصول للبحث عن محاولات حقن SQL



إرشادات التصحيح:

1. الترقية الفورية إلى DataEase 2.10.21 أو أحدث

2. إذا لم تكن الترقية ممكنة فوراً، طبق هذه الضوابط البديلة:

   - تعطيل جدولة Quartz إذا لم تكن مطلوبة

   - تطبيق التحكم في الوصول على مستوى قاعدة البيانات

   - تطبيق قواعد التحقق من صحة الإدخال لمنع حقن SQL



قواعد الكشف:

1. مراقبة محاولات حقن SQL في جداول qrtz_job_details

2. تنبيهات على استثناءات فك التسلسل تحتوي على 'InvokerTransformer' أو 'CommonsCollections'

3. مراقبة تنفيذ العمليات غير المتوقعة من حاوية DataEase

4. تتبع التعديلات على قاعدة البيانات خارج سير العمل العادي

📋 خريطة الامتثال التنظيمي

🟢 NCA ECC 2024

ECC 2024 A.12.6.1 - Management of technical vulnerabilities (patch management) ECC 2024 A.14.2.1 - Secure development policy (secure coding, input validation) ECC 2024 A.12.2.1 - User endpoint devices (endpoint protection, monitoring) ECC 2024 A.13.1.3 - Segregation of networks (network segmentation)

🔵 SAMA CSF

SAMA CSF ID.GV-1 - Governance framework (vulnerability management) SAMA CSF PR.DS-6 - Data protection (secure data handling, serialization controls) SAMA CSF DE.CM-1 - Detection processes (monitoring and alerting) SAMA CSF RS.MI-2 - Incident response (containment and eradication)

🟡 ISO 27001:2022

ISO 27001:2022 A.12.6.1 - Management of technical vulnerabilities ISO 27001:2022 A.14.2.5 - Secure development environment ISO 27001:2022 A.8.3.1 - User access management ISO 27001:2022 A.12.2.1 - Monitoring and logging

🟣 PCI DSS v4.0.1

PCI DSS 6.2 - Security patches and updates PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 10.2 - Logging and monitoring PCI DSS 11.3 - Penetration testing (if DataEase processes payment data)

🔗 المراجع والمصادر 2

🔗

https://github.com/dataease/dataease/releases/tag/v2.10.21

security-advisories@github.com

Release Notes

🔗

https://github.com/dataease/dataease/security/advisories/GHSA-gm5q-g72w-c466

security-advisories@github.com

Exploit Third Party Advisory

📦 المنتجات المتأثرة 1 منتج

dataease:dataease

📊 CVSS Score

8.8

/ 10.0 — مرتفع

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 حقائق سريعة

الخطورة مرتفع

CVSS Score8.8

CWECWE-502

EPSS0.40%

اختراق متاح ✓ نعم

تصحيح متاح ✗ لا

تاريخ النشر 2026-04-16

المصدر nvd

المشاهدات 5

🇸🇦 درجة المخاطر السعودية

9.2

/ 10.0 — مخاطر السعودية

أولوية: CRITICAL

🏷️ الوسوم

exploit-available CWE-502

⚡ إجراءات

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 التعليقات

جارٍ التحميل

CVE-2026-40901

💬 التعليقات

عرّفنا بنفسك

تسجيل الدخول مطلوب