6.5

CVE-2025-15597

Exploit

Dataease SQLBot API Endpoint assistant.py access control

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.0 mitigates this issue. The name of the patch is d640ac31d1ce64ce90e06cf7081163915c9fc28c. Upgrading the affected component is recommended. Multiple endpoints are affected. The vendor was contacted early about this disclosure.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Fit2cloudSqlbot Version < 1.5.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.55% 0.416
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.3 2.8 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com 2.1 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com 6.3 2.8 3.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com 6.5 8 6.4
AV:N/AC:L/Au:S/C:P/I:P/A:P
CWE-266 Incorrect Privilege Assignment

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/dataease/SQLBot/releases/tag/v1.5.0
Release Notes
https://vuldb.com/?id.348291
Third Party Advisory
VDB Entry
https://vuldb.com/?ctiid.348291
VDB Entry
Permissions Required
https://vuldb.com/?submit.706144
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.707283
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.707284
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.707285
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.707286
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.707288
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.707293
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.707294
Third Party Advisory
VDB Entry
https://vuldb.com/?submit.707295
Third Party Advisory
VDB Entry
https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-User-Management-Broken-Access-Control.md
Third Party Advisory
Exploit
https://github.com/dataease/SQLBot/security/advisories/GHSA-h4xm-3q3p-5g6r
Vendor Advisory
Exploit
https://github.com/yaowenxiao721/Poc/blob/main/SQLBot/SQLBot-AIModel-Management-Missing-Authorization.md
Third Party Advisory
Exploit
https://github.com/dataease/SQLBot/commit/d640ac31d1ce64ce90e06cf7081163915c9fc28c
Patch
https://github.com/dataease/SQLBot/
Product