CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46997 – DataEase's H2 datasource has a remote command execution risk
https://notcve.org/view.php?id=CVE-2024-46997
DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1. • https://github.com/dataease/dataease/security/advisories/GHSA-h7mj-m72h-qm8w • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46985 – DataEase has an XXE vulnerability
https://notcve.org/view.php?id=CVE-2024-46985
DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1. • https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31441 – Arbitrary File Reading in DataEase
https://notcve.org/view.php?id=CVE-2024-31441
DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file reading. The vulnerability has been fixed in v1.18.19. DataEase es una herramienta de análisis de visualización de datos de código abierto. Debido a la falta de restricciones en los parámetros de conexión para la fuente de datos de ClickHouse, es posible explotar ciertos parámetros maliciosos para lograr una lectura de archivos arbitraria. • https://github.com/dataease/dataease/security/advisories/GHSA-h7hj-7wg6-p5wh • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30269 – DataEase has database configuration information exposure vulnerability
https://notcve.org/view.php?id=CVE-2024-30269
DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading. DataEase, una herramienta de análisis y visualización de datos de código abierto, tiene una vulnerabilidad de exposición de información de configuración de base de datos anterior a la versión 2.5.0. • https://github.com/dataease/dataease/releases/tag/v2.5.0 https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23328 – The Dataease datasource exists deserialization and arbitrary file read vulnerability
https://notcve.org/view.php?id=CVE-2024-23328
Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java.` The blacklist of mysql jdbc attacks can be bypassed and attackers can further exploit it for deserialized execution or reading arbitrary files. This vulnerability is patched in 1.18.15 and 2.3.0. Dataease es una herramienta de análisis de visualización de datos de código abierto. • https://github.com/dataease/dataease/commit/4128adf5fc4592b55fa1722a53b178967545d46a https://github.com/dataease/dataease/commit/bb540e6dc83df106ac3253f331066129a7487d1a https://github.com/dataease/dataease/security/advisories/GHSA-8x8q-p622-jf25 • CWE-502: Deserialization of Untrusted Data •