Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-70829 is an information exposure vulnerability in Datart version 1.0.0-rc.3 that allows authenticated attackers to access sensitive internal data by exploiting the application's handling of custom H2 JDBC connection strings."}, {'type': 'paragraph', 'content': 'Attackers can create a malicious data source within the Datart dashboard by configuring a custom H2 JDBC URL pointing to the internal database file. After logging in, they navigate to the Data Source section, create and test this malicious data source, and then use SQL editor or chart tools to execute arbitrary SQL queries on the internal database.'}, {'type': 'paragraph', 'content': 'This allows attackers to retrieve sensitive information such as user credentials (including password hashes) and configuration details of other connected data sources. The password hashes can be used to forge valid JWT tokens to impersonate any user, including administrators, because the application uses a hardcoded secret key for JWT signing.'}, {'type': 'paragraph', 'content': 'Additionally, attackers can decrypt AES-encrypted configuration fields containing plaintext credentials for external databases using the same hardcoded key.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to significant security breaches by exposing sensitive internal data to authenticated attackers.

• Attackers can access user credentials, including password hashes.
• They can forge JWT tokens to impersonate any user, including administrators, gaining unauthorized access and control.
• Attackers can obtain configuration details and plaintext credentials for external databases connected to Datart.

Overall, this can compromise the confidentiality, integrity, and availability of the Datart system and any connected data sources.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying if an authenticated user can create a custom H2 JDBC data source within the Datart dashboard that points to the internal database file.'}, {'type': 'paragraph', 'content': 'Specifically, after logging into Datart, check if it is possible to navigate to the "Data Source" section, create a new H2 data source with a JDBC URL like `jdbc:h2:file:./bin/h2/datart.demo;MODE=MySQL`, test the connection, and save it.'}, {'type': 'paragraph', 'content': 'If this is possible, the system is vulnerable because it allows execution of arbitrary SQL queries on the internal database.'}, {'type': 'paragraph', 'content': 'Commands or steps to detect exploitation include attempting to create such a data source and running SQL queries to access sensitive tables such as `user` or `source`.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting authenticated users from creating or modifying H2 JDBC data sources that point to internal database files.

Additionally, review and remove or limit permissions that allow users to add custom data sources or execute arbitrary SQL queries within the Datart dashboard.

Consider changing the hardcoded JWT secret key and avoid using predictable or hardcoded keys for signing tokens.

If possible, update or patch Datart to a version where this vulnerability is fixed.

Useful 0 Not Useful 0