You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DataGear is an open-source and free data visualization analysis platform that allows you to freely create any kind of data dashboard you want, supporting access to multiple data sources such as SQL, CSV, Excel, HTTP interface, JSON, etc.
DataGear 5.2.0 and below allows uploading arbitrary database drivers, which can lead to arbitrary command execution.
Reproduction
Step 1:
Upload the modified database driver file,mysql-connector-java-8.0.28.jar.
The connect method in com.mysql.cj.jdbc.NonRegisteringDriver has been modified to accept the username as a command for execution.
Step 2:
Create a new data source, select the recently uploaded driver as the data driver, enter "calc" as the username, and click test. This will open the calculator.
The text was updated successfully, but these errors were encountered:
Description
DataGear is an open-source and free data visualization analysis platform that allows you to freely create any kind of data dashboard you want, supporting access to multiple data sources such as SQL, CSV, Excel, HTTP interface, JSON, etc.
DataGear 5.2.0 and below allows uploading arbitrary database drivers, which can lead to arbitrary command execution.
Reproduction
Step 1:
Upload the modified database driver file,mysql-connector-java-8.0.28.jar.
The connect method in com.mysql.cj.jdbc.NonRegisteringDriver has been modified to accept the username as a command for execution.
Step 2:
Create a new data source, select the recently uploaded driver as the data driver, enter "calc" as the username, and click test. This will open the calculator.
The text was updated successfully, but these errors were encountered: