CVE-2023-28637
HIGHDataEase < 1.18.5 - Remote Code Execution via AWS Redshift Data Source
Title source: llmDescription
DataEase is an open source data visualization analysis tool. In Dataease users are normally allowed to modify data and the data sources are expected to properly sanitize data. The AWS redshift data source does not provide data sanitization which may lead to remote code execution. This vulnerability has been fixed in v1.18.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/dataease/dataease/security/advisories/GHSA-8wg2-9gwc-5fx2
Scores
CVSS v3
8.0
EPSS
0.0132
EPSS Percentile
67.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-74
Status
published
Products (1)
dataease/dataease
< 1.18.5
Published
Mar 28, 2023
Tracked Since
Feb 18, 2026