CVE-2024-52295

Published Nov 13, 2024

Last updated 4 days ago

CVSS critical 9.3

Overview

Description
DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2.
Source
security-advisories@github.com
NVD status
Awaiting Analysis

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Secondary
Base score
0
Impact score
0
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
Severity
NONE

Weaknesses

security-advisories@github.com
CWE-798

Social media

Hype score
Not currently trending

  1. [CVE-2024-52295: CRITICAL] DataEase, an open-source data visualization tool, fixed a cyber security vulnerability in v2.10.2. Attackers could forge JWT to take over services due to hardcoded secrets.#cybersecurity,#vulnerability https://t.co/kjHd2PWePG https://t.co/DsBdlBjxNx

    @CveFindCom

    13 Nov 2024

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2024-52295 JWT Secret Vulnerability Fixed in DataEase Before v2.10.2 DataEase, a tool for data visualization, had a security issue before version 2.10.2. Attackers could create fake JWTs to control services. ... https://t.co/CReIEMtVr7

    @VulmonFeeds

    13 Nov 2024

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References