{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32140", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.546Z", "datePublished": "2026-03-12T18:04:49.569Z", "dateUpdated": "2026-03-13T16:21:15.825Z"}, "containers": {"cna": {"title": "Dataease: Redshift JDBC RCE Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 2.10.20", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:04:49.569Z"}, "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to remote code execution. The Redshift JDBC driver execution flow reaches a method named getJdbcIniFile. The getJdbcIniFile method implements an aggressive automatic configuration file discovery mechanism. If not explicitly restricted, it searches for a file named rsjdbc.ini. In a JDBC URL context, users can explicitly specify the configuration file via URL parameters, which allows arbitrary files on the server to be loaded as JDBC configuration files. Within the Redshift JDBC driver properties, the parameter IniFile is explicitly supported and used to load an external configuration file. This vulnerability is fixed in 2.10.20."}], "source": {"advisory": "GHSA-jc9q-3jfw-mch4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:21:12.068132Z", "id": "CVE-2026-32140", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:21:15.825Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32140", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T16:21:12.068132Z"}}}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:20:54.598Z"}}], "cna": {"title": "Dataease: Redshift JDBC RCE Bypass", "source": {"advisory": "GHSA-jc9q-3jfw-mch4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 2.10.20"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to remote code execution. The Redshift JDBC driver execution flow reaches a method named getJdbcIniFile. The getJdbcIniFile method implements an aggressive automatic configuration file discovery mechanism. If not explicitly restricted, it searches for a file named rsjdbc.ini. In a JDBC URL context, users can explicitly specify the configuration file via URL parameters, which allows arbitrary files on the server to be loaded as JDBC configuration files. Within the Redshift JDBC driver properties, the parameter IniFile is explicitly supported and used to load an external configuration file. This vulnerability is fixed in 2.10.20."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T18:04:49.569Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32140", "state": "PUBLISHED", "dateUpdated": "2026-03-13T16:21:15.825Z", "dateReserved": "2026-03-10T22:19:36.546Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T18:04:49.569Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "788CE210-A4A2-469E-B250-E5B1A46FA2CD", "versionEndExcluding": "2.10.20", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization analysis tool. Prior to 2.10.20, By controlling the IniFile parameter, an attacker can force the JDBC driver to load an attacker-controlled configuration file. This configuration file can inject dangerous JDBC properties, leading to remote code execution. The Redshift JDBC driver execution flow reaches a method named getJdbcIniFile. The getJdbcIniFile method implements an aggressive automatic configuration file discovery mechanism. If not explicitly restricted, it searches for a file named rsjdbc.ini. In a JDBC URL context, users can explicitly specify the configuration file via URL parameters, which allows arbitrary files on the server to be loaded as JDBC configuration files. Within the Redshift JDBC driver properties, the parameter IniFile is explicitly supported and used to load an external configuration file. This vulnerability is fixed in 2.10.20."}, {"lang": "es", "value": "Dataease es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto. Anterior a la versi\u00f3n 2.10.20, al controlar el par\u00e1metro IniFile, un atacante puede forzar al controlador JDBC a cargar un archivo de configuraci\u00f3n controlado por el atacante. Este archivo de configuraci\u00f3n puede inyectar propiedades JDBC peligrosas, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo. El flujo de ejecuci\u00f3n del controlador JDBC de Redshift alcanza un m\u00e9todo llamado getJdbcIniFile. El m\u00e9todo getJdbcIniFile implementa un mecanismo agresivo de descubrimiento autom\u00e1tico de archivos de configuraci\u00f3n. Si no se restringe expl\u00edcitamente, busca un archivo llamado rsjdbc.ini. En un contexto de URL JDBC, los usuarios pueden especificar expl\u00edcitamente el archivo de configuraci\u00f3n a trav\u00e9s de par\u00e1metros de URL, lo que permite que archivos arbitrarios en el servidor se carguen como archivos de configuraci\u00f3n JDBC. Dentro de las propiedades del controlador JDBC de Redshift, el par\u00e1metro IniFile es expl\u00edcitamente compatible y se utiliza para cargar un archivo de configuraci\u00f3n externo. Esta vulnerabilidad se corrige en la versi\u00f3n 2.10.20."}], "id": "CVE-2026-32140", "lastModified": "2026-03-13T19:54:40.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-12T18:16:25.573", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-jc9q-3jfw-mch4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.20)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "dataease", "source": "cna", "vendor": "dataease"}, "product": "dataease", "vendor": "dataease"}], "analysis": {"en": {"generated_at": "2026-03-18T14:55:13.080380+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch by upgrading Dataease to version 2.10.20 or later."], "summary": {"action": "Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Dataease with the Redshift JDBC driver that are running a version prior to 2.10.20 are affected. The cpe string for the product is cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:* and the specific version range is any version older than 2.10.20. The issue was fixed in release 2.10.20.", "description_and_impact": "Dataease, an open source data visualization tool, has a critical flaw that allows an attacker to manipulate the IniFile parameter in a JDBC connection. This manipulation forces the Redshift JDBC driver to load an attacker\u2011controlled configuration file, which can inject dangerous JDBC properties. The result is remote code execution on the host running Dataease. The weakness is identified as CWE\u201122 (Path Traversal). The vulnerability permits an attacker to execute arbitrary code with the privileges of the Dataease process, potentially compromising the entire system and data exposed by the tool.", "risk_and_exploitability": "The CVSS v3.1 score for this issue is 9.3, indicating Critical risk. The EPSS score is less than 1%, suggesting a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a JDBC connection string that specifies an arbitrary configuration file; the attack surface is therefore likely limited to environments where users can control or influence JDBC URLs or data source configurations. Successful exploitation would allow arbitrary code execution with the application\u2019s runtime privileges."}}}}, "created": "2026-03-13T09:50:34.108040+00:00", "updated": "2026-03-20T15:48:39.047190+00:00", "vendors": ["dataease", "dataease$PRODUCT$dataease"]}