{
  "cve": "CVE-2026-40899",
  "cwe": ["CWE-915", "CWE-470"],
  "validation_status": "CONFIRMED",
  "validation_timestamp": "2025-05-25T13:10:00Z",
  "validated_by": "reproduction_steps.sh",
  "verdict": {
    "vulnerability_exists": true,
    "fix_is_effective": true,
    "reproducibility": "deterministic",
    "reproduction_reliability": "high"
  },
  "test_environment": {
    "method": "docker_container_desktop_mode",
    "vulnerable_image": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.20",
    "fixed_image": "registry.cn-qingdao.aliyuncs.com/dataease/dataease:v2.10.21",
    "runtime": "Docker Engine 29.3.1"
  },
  "test_results": {
    "vulnerable_version": {
      "version": "v2.10.20",
      "endpoint": "http://127.0.0.1:18100/de2api/datasource/validate",
      "response_file": "logs/vulnerable_response.json",
      "response_summary": "DEException(code=40001, msg=Communications link failure...)",
      "indicator": "Communications link failure",
      "interpretation": "The forbidden JDBC parameter 'allowloadlocalinfile=true' was NOT blocked. The server accepted the malicious configuration and attempted to open a JDBC connection to the attacker-specified host, failing only because no MySQL server was listening.",
      "bypass_confirmed": true,
      "blocklist_overwritten": true,
      "exit_code": 0
    },
    "fixed_version": {
      "version": "v2.10.21",
      "endpoint": "http://127.0.0.1:18101/de2api/datasource/validate",
      "response_file": "logs/fixed_response.json",
      "response_summary": "DEException(code=40001, msg=Illegal parameter: allowloadlocalinfile)",
      "indicator": "Illegal parameter: allowloadlocalinfile",
      "interpretation": "The forbidden JDBC parameter was correctly rejected. The fix prevents Jackson from deserializing the 'illegalParameters' field (via @JsonIgnore), so the attacker cannot overwrite the blocklist.",
      "bypass_confirmed": false,
      "blocklist_intact": true,
      "exit_code": 0
    }
  },
  "root_cause_summary": "Lombok @Data annotation on datasource type classes (e.g., Mysql.java) auto-generates a public setter for the 'illegalParameters' blocklist field. Jackson JSON deserialization invokes this setter when the request contains 'illegalParameters': [], overwriting the hardcoded blocklist before validation. The fix adds @JsonIgnore to prevent deserialization of this field.",
  "fix_commit": "16a950f96089b2a90e37d82304ede714a40902ba",
  "evidence_artifacts": [
    "logs/vulnerable_response.json",
    "logs/fixed_response.json",
    "logs/repro_run.log",
    "repro/runtime_manifest.json"
  ],
  "validation_exit_code": 0,
  "notes": "Both vulnerable and fixed versions were tested successfully. The vulnerable version bypassed the blocklist, while the fixed version correctly rejected the malicious parameter. Test completed in approximately 71 seconds."
}