CVE-2024-46997: 
Java vulnerability analysis and mitigation

DataEase, an open source data visualization analysis tool, was found to contain a critical remote command execution vulnerability (CVE-2024-46997) prior to version 2.10.1. The vulnerability was discovered on September 23, 2024, and allows attackers to achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability affects all versions up to and including 2.10.0 (GitHub Advisory).

The vulnerability has a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue lies in the handling of h2 data source connection strings, where an attacker can inject malicious SQL commands through the INIT parameter. By crafting a specific connection string that includes a RUNSCRIPT command, attackers can execute arbitrary system commands (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary commands on the affected system through the h2 database connection. This can lead to complete system compromise, as demonstrated by the proof of concept where an attacker could create files on the target system (GitHub Advisory).

The vulnerability has been patched in DataEase version 2.10.1. Users are strongly recommended to upgrade to this version to mitigate the risk. No alternative workarounds have been provided (GitHub Advisory).