CVE-2024-52295

critical

Description

DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2.

References

https://github.com/dataease/dataease/security/advisories/GHSA-45v9-gfcv-xcq6

https://github.com/dataease/dataease/commit/e755248d59543bcd668ace495f293ff735fa82e9

Details

Source: Mitre, NVD

Published: 2024-11-13

Updated: 2024-11-13

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

0
CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: Critical