CVE-2024-46997

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-h7mj-m72h-qm8w	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

07 Oct 2024, 17:20

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dataease:dataease::::::::
First Time		Dataease dataease Dataease
CWE		NVD-CWE-noinfo
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-h7mj-m72h-qm8w -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-h7mj-m72h-qm8w - Exploit, Vendor Advisory

26 Sep 2024, 13:32

Type	Values Removed	Values Added
Summary		(es) DataEase es una herramienta de análisis de visualización de datos de código abierto. Antes de la versión 2.10.1, un atacante podía ejecutar comandos de forma remota agregando una cadena de conexión de fuente de datos h2 cuidadosamente construida. La vulnerabilidad se ha corregido en la versión 2.10.1.

23 Sep 2024, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-23 16:15

Updated : 2024-10-07 17:20

NVD link : CVE-2024-46997

Mitre link : CVE-2024-46997

CVE.ORG link : CVE-2024-46997

JSON object : View

Products Affected

dataease

dataease

CWE

NVD-CWE-noinfo CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

{"id": "CVE-2024-46997", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2024-09-23T16:15:06.387", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-h7mj-m72h-qm8w", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-74"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1."}, {"lang": "es", "value": "DataEase es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto. Antes de la versi\u00f3n 2.10.1, un atacante pod\u00eda ejecutar comandos de forma remota agregando una cadena de conexi\u00f3n de fuente de datos h2 cuidadosamente construida. La vulnerabilidad se ha corregido en la versi\u00f3n 2.10.1."}], "lastModified": "2024-10-07T17:20:10.427", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58CDACB3-C8F7-4428-80BC-4AAA40E067A5", "versionEndExcluding": "2.10.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}