CVE-2022-34115: 
Java vulnerability analysis and mitigation

DataEase v1.11.1 was discovered to contain an arbitrary file write vulnerability via the parameter dataSourceId. The vulnerability was assigned CVE-2022-34115 and was disclosed on June 15, 2022. The vulnerability affects DataEase software version 1.11.1 and received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability exists in the data source driver management interface where the file upload functionality fails to properly validate the file path, allowing for directory traversal. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited remotely with no privileges or user interaction required (NVD).

The vulnerability allows an attacker to write files to arbitrary locations on the system by manipulating the file upload parameters. This could potentially lead to overwriting critical configuration files or placing malicious files on the system, which could result in unauthorized code execution (GitHub Issue).

The vulnerability was fixed in DataEase version 1.11.2. Users are advised to upgrade to this version or later. The fix includes adding proper permission controls for plugin operations and addressing the arbitrary file write vulnerability in the driver management functionality (GitHub Release).