CVE-2025-24974 HIGH

CVE-2025-24974: DataEase Mysql JDBC Connection Parameters Not Being Verified Leads to Arbitrary File Read Vulnerability

Vendor Dataease
Product dataease
Weakness CWE-862 · Missing authorization
Published March 13, 2025
Last update March 13, 2025

CVSS base score

7.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, authenticated users can read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.6. No known workarounds are available.

Key dates

02Disclosure timeline

March 13, 2025 CVE published
March 13, 2025 Record updated