JWT Forgery Vulnerability in DataEase by DataEase Team
CVE-2024-52295

9.8CRITICAL

Key Information:

Status
Vendor
CVE Published:
13 November 2024

What is CVE-2024-52295?

DataEase, an open-source data visualization analysis tool, is prone to a vulnerability where attackers can forge JSON Web Tokens (JWT) due to hardcoded secrets within the code. Specifically, the UID and OID values are also hardcoded, allowing unauthorized users to potentially take control over services relying on this authentication mechanism. This issue has been addressed in version 2.10.2, with affected deployments urged to upgrade to mitigate risks associated with this flaw.

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.