CVE-2026-32939

{"id": "CVE-2026-32939", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-20T04:16:49.150", "references": [{"url": "https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/releases/tag/v2.10.20", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-178"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to \u0130 (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes \u0130NIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20."}, {"lang": "es", "value": "DataEase es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto. Las versiones 2.10.19 e inferiores tienen un manejo inconsistente de la configuraci\u00f3n regional entre la l\u00f3gica de validaci\u00f3n de URL JDBC y el an\u00e1lisis interno del motor JDBC H2. DataEase utiliza String.toUpperCase() sin especificar una configuraci\u00f3n regional expl\u00edcita, lo que hace que sus comprobaciones de seguridad dependan de la configuraci\u00f3n regional predeterminada en tiempo de ejecuci\u00f3n de la JVM, mientras que H2 JDBC siempre normaliza las URL utilizando Locale.ENGLISH. En entornos de configuraci\u00f3n regional turca (tr_TR), Java convierte la letra min\u00fascula i en ? (I may\u00fascula con punto) en lugar de la I est\u00e1ndar, por lo que un par\u00e1metro malicioso como iNIT se convierte en ?NIT en el filtro de DataEase (eludiendo su lista negra) mientras que H2 a\u00fan lo interpreta correctamente como INIT. Esta discrepancia permite a los atacantes introducir par\u00e1metros JDBC peligrosos m\u00e1s all\u00e1 de la validaci\u00f3n de seguridad de DataEase, y el problema ha sido confirmado como explotable en escenarios de despliegue reales de DataEase ejecut\u00e1ndose bajo configuraciones regionales afectadas. El problema ha sido solucionado en la versi\u00f3n 2.10.20."}], "lastModified": "2026-03-23T19:25:44.773", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "788CE210-A4A2-469E-B250-E5B1A46FA2CD", "versionEndExcluding": "2.10.20"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}