CVE-2025-49001

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.10, secret verification does not take effect successfully, so a user can use any secret to forge a JWT token. The vulnerability has been fixed in v2.10.10. No known workarounds are available.
Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

05 Jun 2025, 14:07

Type Values Removed Values Added
CPE cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
References () https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r - () https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r - Broken Link
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
First Time Dataease dataease
Dataease

04 Jun 2025, 14:15

Type Values Removed Values Added
Summary
  • (es) DataEase es una herramienta de código abierto de inteligencia empresarial y visualización de datos. Antes de la versión 2.10.10, la verificación de secretos no se realizaba correctamente, por lo que un usuario podía usar cualquier secreto para falsificar un token JWT. La vulnerabilidad se ha corregido en la versión 2.10.10. No se conocen workarounds.
References () https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r - () https://github.com/dataease/dataease/security/advisories/GHSA-xx2m-gmwg-mf3r -

03 Jun 2025, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-06-03 21:15

Updated : 2025-06-05 14:07


NVD link : CVE-2025-49001

Mitre link : CVE-2025-49001

CVE.ORG link : CVE-2025-49001


JSON object : View

Products Affected

dataease

  • dataease
CWE
CWE-287

Improper Authentication

NVD-CWE-noinfo