CVE-2025-48998

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

CVSS

No CVSS.

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692
https://github.com/dataease/dataease/security/advisories/GHSA-v4gg-8rp3-ccjx
https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692

Configurations

No configuration.

History

04 Jun 2025, 14:54

Type	Values Removed	Values Added
Summary		(es) DataEase es una herramienta de código abierto de inteligencia empresarial y visualización de datos. Antes de la versión 2.10.6, una omisión del parche para CVE-2025-27103 permitía a los usuarios autenticados leer y deserializar archivos arbitrarios mediante la conexión JDBC en segundo plano. La vulnerabilidad se ha corregido en la versión 2.10.10. No se conocen workarounds.

03 Jun 2025, 21:15

Type	Values Removed	Values Added
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692 -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692 -

03 Jun 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 19:15

Updated : 2025-06-04 14:54

NVD link : CVE-2025-48998

Mitre link : CVE-2025-48998

CVE.ORG link : CVE-2025-48998

JSON object : View

Products Affected

No product.

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-862

Missing Authorization

{"id": "CVE-2025-48998", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-03T19:15:39.727", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692", "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-v4gg-8rp3-ccjx", "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-89"}, {"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. No known workarounds are available."}, {"lang": "es", "value": "DataEase es una herramienta de c\u00f3digo abierto de inteligencia empresarial y visualizaci\u00f3n de datos. Antes de la versi\u00f3n 2.10.6, una omisi\u00f3n del parche para CVE-2025-27103 permit\u00eda a los usuarios autenticados leer y deserializar archivos arbitrarios mediante la conexi\u00f3n JDBC en segundo plano. La vulnerabilidad se ha corregido en la versi\u00f3n 2.10.10. No se conocen workarounds."}], "lastModified": "2025-06-04T14:54:33.783", "sourceIdentifier": "security-advisories@github.com"}