Arbitrary File Deserialization Vulnerability in DataEase Analytics Tool
CVE-2024-55953

8.1HIGH

Key Information:

Vendor: DataEase
Status: DataEase
Vendor: CVE Published:; 18 December 2024

What is CVE-2024-55953?

A vulnerability exists in the DataEase analytics tool that allows authenticated users to read and deserialize arbitrary files due to improper filtering of parameters in the JDBC connection string. This flaw could potentially enable attackers to exploit the system by accessing sensitive data or executing arbitrary code. The issue has been addressed in version 1.18.27, and users are strongly encouraged to update their installations immediately, as there are no known workarounds available to mitigate the risks associated with this vulnerability.

References

https://github.com/dataease/dataease/commit/0db4872a52ecc...

https://github.com/dataease/dataease/security/advisories/...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2024