CVE-2025-58046

Exploit

EPSS 1.64%
Veröffentlicht 15.09.2025 16:04:10
Zuletzt bearbeitet 19.09.2025 19:31:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Dataease has a JDBC attack vulnerability in the Impala datasource

Dataease is an open-source data visualization and analysis platform. In versions up to and including 2.10.12, the Impala data source is vulnerable to remote code execution due to insufficient filtering in the getJdbc method of the io.dataease.datasource.type.Impala class. Attackers can construct malicious JDBC connection strings that exploit JNDI injection and trigger RMI deserialization, ultimately enabling remote command execution. The vulnerability can be exploited by editing the data source and providing a crafted JDBC connection string that references a remote configuration file, leading to RMI-based deserialization attacks. This issue has been patched in version 2.10.13. It is recommended to upgrade to the latest version. No known workarounds exist for affected versions.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Dataease ≫ Dataease Version < 2.10.13

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.64%	0.821

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://github.com/dataease/dataease/commit/8d04e92d44e1bac9284e9e64df5afd7f96d9373c

Patch

https://github.com/dataease/dataease/security/advisories/GHSA-mvwc-x8x9-46c3

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-58046

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-58046

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-58046

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-58046