CVE-2024-52295

Exploit

EPSS 0.62%
Veröffentlicht 13.11.2024 16:15:19
Zuletzt bearbeitet 20.02.2025 16:21:26
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dataease ≫ Dataease Version < 2.10.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.62%	0.691

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.3	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://github.com/dataease/dataease/commit/e755248d59543bcd668ace495f293ff735fa82e9

Patch

https://github.com/dataease/dataease/security/advisories/GHSA-45v9-gfcv-xcq6

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-52295

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52295

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52295

EUVD