CVE-2026-32939

Exploit

EPSS 0.05%
Veröffentlicht 20.03.2026 03:27:46
Zuletzt bearbeitet 23.03.2026 19:25:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

DataEase is an open source data visualization analysis tool. Versions 2.10.19 and below have inconsistent Locale handling between the JDBC URL validation logic and the H2 JDBC engine's internal parsing. DataEase uses String.toUpperCase() without specifying an explicit Locale, causing its security checks to rely on the JVM's default runtime locale, while H2 JDBC always normalizes URLs using Locale.ENGLISH. In Turkish locale environments (tr_TR), Java converts the lowercase letter i to İ (dotted capital I) instead of the standard I, so a malicious parameter like iNIT becomes İNIT in DataEase's filter (bypassing its blacklist) while H2 still correctly interprets it as INIT. This discrepancy allows attackers to smuggle dangerous JDBC parameters past DataEase's security validation, and the issue has been confirmed as exploitable in real DataEase deployment scenarios running under affected regional settings. The issue has been fixed in version 2.10.20.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dataease ≫ Dataease Version < 2.10.20

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.137

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	7.7	0	0	CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-178 Improper Handling of Case Sensitivity

The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.

https://github.com/dataease/dataease/security/advisories/GHSA-pj7p-3m49-52qq

Vendor Advisory

Exploit

https://github.com/dataease/dataease/commit/8f1c21834a620d37dafb3fa24605c059d0a5b80d

Patch

https://github.com/dataease/dataease/releases/tag/v2.10.20

Product

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-32939

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32939

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32939

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32939