CVE-2024-47073

DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions a the lack of signature verification of jwt tokens allows attackers to forge jwts which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS

No CVSS.

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-5jr4-wrm2-xj36

Configurations

No configuration.

History

08 Nov 2024, 17:35

Type	Values Removed	Values Added
Summary		(es) DataEase es una herramienta de análisis de visualización de datos de código abierto que ayuda a los usuarios a analizar rápidamente los datos y obtener información sobre las tendencias comerciales. En las versiones afectadas, la falta de verificación de firma de los tokens JWT permite a los atacantes falsificar JWT que luego permiten el acceso a cualquier interfaz. La vulnerabilidad se ha corregido en la versión 2.10.2 y se recomienda a todos los usuarios que actualicen la versión. No se conocen workarounds para esta vulnerabilidad.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 0.0

07 Nov 2024, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-07 18:15

Updated : 2024-11-08 19:01

NVD link : CVE-2024-47073

Mitre link : CVE-2024-47073

CVE.ORG link : CVE-2024-47073

JSON object : View

Products Affected

No product.

CWE

CWE-347

Improper Verification of Cryptographic Signature

{"id": "CVE-2024-47073", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0.0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 0.0, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 9.3, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-07T18:15:17.417", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-5jr4-wrm2-xj36", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-347"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions a the lack of signature verification of jwt tokens allows attackers to forge jwts which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "DataEase es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto que ayuda a los usuarios a analizar r\u00e1pidamente los datos y obtener informaci\u00f3n sobre las tendencias comerciales. En las versiones afectadas, la falta de verificaci\u00f3n de firma de los tokens JWT permite a los atacantes falsificar JWT que luego permiten el acceso a cualquier interfaz. La vulnerabilidad se ha corregido en la versi\u00f3n 2.10.2 y se recomienda a todos los usuarios que actualicen la versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2024-11-08T19:01:03.880", "sourceIdentifier": "security-advisories@github.com"}