CVE-2024-47074

DataEase is an open source data visualization analysis tool. In Dataease, the PostgreSQL data source in the data source function can customize the JDBC connection parameters and the PG server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, PgConfiguration class don't filter any parameters, directly concat user input. So, if the attacker adds some parameters in JDBC url, and connect to evil PG server, the attacker can trigger the PG jdbc deserialization vulnerability, and eventually the attacker can execute through the deserialization vulnerability system commands and obtain server privileges. The vulnerability has been fixed in v1.18.25.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dataease/dataease/commit/86eafc4d77f0bbc0eaa7fc58e5076a085257f259	Patch
https://github.com/dataease/dataease/security/advisories/GHSA-jgg7-w629-wcpc	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

12 Nov 2024, 19:52

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CPE		cpe:2.3:a:dataease:dataease::::::::
First Time		Dataease Dataease dataease
References	~~() https://github.com/dataease/dataease/commit/86eafc4d77f0bbc0eaa7fc58e5076a085257f259 -~~	() https://github.com/dataease/dataease/commit/86eafc4d77f0bbc0eaa7fc58e5076a085257f259 - Patch
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-jgg7-w629-wcpc -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-jgg7-w629-wcpc - Vendor Advisory

15 Oct 2024, 12:58

Type	Values Removed	Values Added
Summary		(es) DataEase es una herramienta de análisis de visualización de datos de código abierto. En DataEase, la fuente de datos PostgreSQL en la función de fuente de datos puede personalizar los parámetros de conexión JDBC y el servidor PG de destino al que se conectará. En backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, la clase PgConfiguration no filtra ningún parámetro, concatena directamente la entrada del usuario. Por lo tanto, si el atacante agrega algunos parámetros en la URL JDBC y se conecta al servidor PG malicioso, el atacante puede activar la vulnerabilidad de deserialización de JDBC de PG y, eventualmente, el atacante puede ejecutar a través de la vulnerabilidad de deserialización comandos del sistema y obtener privilegios de servidor. La vulnerabilidad se ha corregido en v1.18.25.

11 Oct 2024, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-11 15:15

Updated : 2024-11-12 19:52

NVD link : CVE-2024-47074

Mitre link : CVE-2024-47074

CVE.ORG link : CVE-2024-47074

JSON object : View

Products Affected

dataease

dataease

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2024-47074", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 9.3, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "HIGH", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-11T15:15:05.353", "references": [{"url": "https://github.com/dataease/dataease/commit/86eafc4d77f0bbc0eaa7fc58e5076a085257f259", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-jgg7-w629-wcpc", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool. In Dataease, the PostgreSQL data source in the data source function can customize the JDBC connection parameters and the PG server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, PgConfiguration class don't filter any parameters, directly concat user input. So, if the attacker adds some parameters in JDBC url, and connect to evil PG server, the attacker can trigger the PG jdbc deserialization vulnerability, and eventually the attacker can execute through the deserialization vulnerability system commands and obtain server privileges. The vulnerability has been fixed in v1.18.25."}, {"lang": "es", "value": "DataEase es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto. En DataEase, la fuente de datos PostgreSQL en la funci\u00f3n de fuente de datos puede personalizar los par\u00e1metros de conexi\u00f3n JDBC y el servidor PG de destino al que se conectar\u00e1. En backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java, la clase PgConfiguration no filtra ning\u00fan par\u00e1metro, concatena directamente la entrada del usuario. Por lo tanto, si el atacante agrega algunos par\u00e1metros en la URL JDBC y se conecta al servidor PG malicioso, el atacante puede activar la vulnerabilidad de deserializaci\u00f3n de JDBC de PG y, eventualmente, el atacante puede ejecutar a trav\u00e9s de la vulnerabilidad de deserializaci\u00f3n comandos del sistema y obtener privilegios de servidor. La vulnerabilidad se ha corregido en v1.18.25."}], "lastModified": "2024-11-12T19:52:38.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D508B577-F415-41D2-99AC-DC412C371CE0", "versionEndExcluding": "1.18.25"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}

9.8 /10