Unrated severityNVD Advisory· Published Dec 18, 2024· Updated Dec 18, 2024

Dataease Mysql JDBC Connection Parameters Not Verified Leads to Deserialization and Arbitrary File Read Vulnerability

CVE-2024-55953

Description

DataEase is an open source business analytics tool. Authenticated users can read and deserialize arbitrary files through the background JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. This vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected products

Dataease/Dataeasev5
Range: < 1.18.27

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/dataease/dataease/commit/0db4872a52eccf6e83dd9359aa05db52dd580ec1mitrex_refsource_MISC
github.com/dataease/dataease/security/advisories/GHSA-mrf3-9q84-rcmfmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000