CVE-2024-30269

MEDIUM EXPLOITED NUCLEI

dataease < 2.5.0 - Unauthenticated Exposure of Sensitive Database Configuration via /de2api/engine/getEngine;.js

Title source: llm

Exploitation Summary

CVE-2024-30269 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including ByteHunter. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets CVE-2024-30269 in DataEase 2.4.0-2.5.0, exposing database configuration information including credentials via an unauthenticated API endpoint. It sends a GET request to /de2api/engine/getEngine;.js and parses the JSON response for sensitive data.

Description

DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading.

Exploits (1)

exploitdb WORKING POC

by ByteHunter · pythonwebappsjava

https://www.exploit-db.com/exploits/52128

View Code ZIP pw:eip

This exploit targets CVE-2024-30269 in DataEase 2.4.0-2.5.0, exposing database configuration information including credentials via an unauthenticated API endpoint. It sends a GET request to /de2api/engine/getEngine;.js and parses the JSON response for sensitive data.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: DataEase 2.4.0-2.5.0

No auth needed

Prerequisites: Network access to the target DataEase instance

MITRE ATT&CK

T1592 - Gather Victim Host Information T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

DataEase <= 2.4.1 - Sensitive Information Exposure

MEDIUMVERIFIEDby s4e-io

Shodan: http.html:"dataease"

FOFA: body="dataease"

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5

Release Notes x_refsource_misc

https://github.com/dataease/dataease/releases/tag/v2.5.0

Scores

CVSS v3 5.3

EPSS 0.1600

EPSS Percentile 96.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2025-06-28

CWE

CWE-200

Status published

Products (1)

dataease/dataease < 2.5.0

Published Apr 08, 2024

Tracked Since Feb 18, 2026