Login Sign Up

CVE-2022-34113

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers to upload malicious plugins to Dataease v1.11.1 via the /api/plugin/upload endpoint, leading to remote code execution. Any organization running the affected version with the plugin upload feature accessible is at risk. Attackers can gain full control of the server.

💻 Affected Systems

Products:
  • Dataease
Versions: v1.11.1
Operating Systems: All platforms running Dataease
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default configuration. Any installation with the plugin upload feature enabled is vulnerable.

📦 What is this software?

Dataease by Dataease

View all CVEs affecting Dataease →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal data, deploy ransomware, or pivot to other systems in the network.

🟠

Likely Case

Attackers upload malicious plugins to execute code, potentially creating backdoors, mining cryptocurrency, or exfiltrating sensitive data from the Dataease instance.

🟢

If Mitigated

With proper network segmentation and access controls, impact could be limited to the Dataease application server only.

🌐 Internet-Facing: HIGH - The upload endpoint is typically exposed, allowing direct exploitation from the internet.
🏢 Internal Only: HIGH - Even internally, any user with access could exploit this to compromise the server.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The GitHub issue shows exploitation details. Attackers can craft malicious plugin files and upload them without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.11.2 or later

Vendor Advisory: https://github.com/dataease/dataease/issues/2431

Restart Required: Yes

Instructions:

1. Backup your Dataease configuration and data. 2. Download the latest version from the official repository. 3. Stop the Dataease service. 4. Replace the installation with the patched version. 5. Restart the service.

🔧 Temporary Workarounds

Disable plugin upload endpoint

all

Block access to the vulnerable /api/plugin/upload endpoint

# Add to web server config (nginx example):
location /api/plugin/upload { deny all; }

Network access control

linux

Restrict access to Dataease administration interface

# Firewall rule example:
iptables -A INPUT -p tcp --dport [Dataease-port] -s [trusted-ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [Dataease-port] -j DROP

🧯 If You Can't Patch

  • Immediately restrict network access to Dataease to only trusted IP addresses
  • Implement WAF rules to block requests to /api/plugin/upload endpoint

🔍 How to Verify

Check if Vulnerable:

Check if running Dataease v1.11.1 and if /api/plugin/upload endpoint is accessible

Check Version:

Check Dataease web interface admin panel or application logs for version information

Verify Fix Applied:

Verify version is v1.11.2 or later and test that plugin uploads are properly validated

📡 Detection & Monitoring

Log Indicators:

  • Unusual plugin upload activity
  • POST requests to /api/plugin/upload
  • Unexpected process execution from Dataease

Network Indicators:

  • Outbound connections from Dataease server to unknown IPs
  • Unusual traffic patterns from Dataease port

SIEM Query:

source="dataease.logs" AND (uri="/api/plugin/upload" OR message="plugin upload")

📊 Metadata

CVE ID: CVE-2022-34113
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 22, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON