Vulnerability DatabaseCVE-2024-23328
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-23328
February 01, 2024
Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is "core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java." The blacklist of mysql jdbc attacks can be bypassed and attackers can further exploit it for deserialized execution or reading arbitrary files. This vulnerability is patched in 1.18.15 and 2.3.0.
Related Resources (3)
https://github.com/dataease/dataease/commit/bb540e6dc83df106ac3253f331066129a7487d1a
https://github.com/dataease/dataease/commit/4128adf5fc4592b55fa1722a53b178967545d46a
https://github.com/dataease/dataease/security/advisories/GHSA-8x8q-p622-jf25
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Deserialization of Untrusted Data
CWE-502
EPSS
Base Score:
0.60