JWT Forgery Vulnerability in DataEase by DataEase Team
CVE-2024-52295

9.8CRITICAL

Key Information:

Vendor: DataEase Team
Status: DataEase
Vendor: CVE Published:; 13 November 2024

🔔 Create DataEase Team Vulnerability Alert

What is CVE-2024-52295?

DataEase, an open-source data visualization analysis tool, is prone to a vulnerability where attackers can forge JSON Web Tokens (JWT) due to hardcoded secrets within the code. Specifically, the UID and OID values are also hardcoded, allowing unauthorized users to potentially take control over services relying on this authentication mechanism. This issue has been addressed in version 2.10.2, with affected deployments urged to upgrade to mitigate risks associated with this flaw.

References

https://github.com/dataease/dataease/security/advisories/...

https://github.com/dataease/dataease/commit/e755248d59543...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2024