CVE-2024-55953 HIGH

CVE-2024-55953: Dataease Mysql JDBC Connection Parameters Not Verified Leads to Deserialization and Arbitrary File Read Vulnerability

Vendor Dataease
Product dataease
Weakness CWE-89 · SQLi
Published December 18, 2024
Last update December 18, 2024

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

DataEase is an open source business analytics tool. Authenticated users can read and deserialize arbitrary files through the background JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. This vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

December 18, 2024 CVE published
December 18, 2024 Record updated