CVE-2024-30269 MEDIUM

CVE-2024-30269: DataEase has database configuration information exposure vulnerability

Vendor Dataease
Product dataease
Weakness CWE-200 · Info exposure
Published April 8, 2024
Last update August 2, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading.

Key dates

02Disclosure timeline

April 8, 2024 CVE published
August 2, 2024 Record updated