A critical remote code execution vulnerability has been identified in multiple JimuReport products, specifically in versions up to 2.1.3. An attacker can exploit this flaw by submitting a specially crafted H2 database connection string, allowing them to run arbitrary code and completely compromise the affected server. This could lead to data theft, service disruption, or further attacks on the internal network.

The vulnerability exists in how the JimuReport application processes H2 database JDBC URLs. The application fails to properly sanitize user-supplied connection strings before passing them to the H2 database driver. An unauthenticated remote attacker can craft a malicious JDBC URL containing specific H2 directives (such as INIT=RUNSCRIPT) which, when processed by the driver, will execute arbitrary Java code on the underlying server with the privileges of the JimuReport application.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk to the organization. Successful exploitation would grant an attacker full control over the compromised server, leading to a complete loss of confidentiality, integrity, and availability. Potential consequences include theft or modification of sensitive data stored in the application's databases, deployment of ransomware, service outages, and using the compromised server as a foothold to launch further attacks against the internal corporate network.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor. Organizations must upgrade all affected instances of JimuReport to a version higher than 2.1.3 immediately. After patching, it is crucial to review application and system logs for any signs of compromise that may have occurred before the update was applied.

Proactive Monitoring: Security teams should actively monitor for exploitation attempts by inspecting application logs for suspicious H2 JDBC connection strings. Specifically, look for URLs containing directives like INIT, RUNSCRIPT, or calls to external resources. Monitor for anomalous behavior on the server hosting JimuReport, such as unexpected outbound network connections, new processes being spawned by the application's user account, or unauthorized file creation/modification.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Use a Web Application Firewall (WAF) with rules designed to detect and block malicious JDBC URL patterns.
• Strictly limit network access to the JimuReport application, especially any administrative interfaces where data sources are configured.
• If possible, configure the application to disallow the use of H2 databases as a data source until a patch can be applied.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of complete system compromise, this vulnerability requires immediate attention. All organizations using affected versions of JimuReport must prioritize the deployment of vendor-supplied patches across all environments. Although this vulnerability is not currently on the CISA KEV list, its severity warrants treating it with the highest urgency to prevent potential exploitation.