JWT Forgery Vulnerability in DataEase by DataEase Team
CVE-2024-52295
9.8CRITICAL
What is CVE-2024-52295?
DataEase, an open-source data visualization analysis tool, is prone to a vulnerability where attackers can forge JSON Web Tokens (JWT) due to hardcoded secrets within the code. Specifically, the UID and OID values are also hardcoded, allowing unauthorized users to potentially take control over services relying on this authentication mechanism. This issue has been addressed in version 2.10.2, with affected deployments urged to upgrade to mitigate risks associated with this flaw.