CVE-2024-52295

CRITICAL

DataEase <2.10.2 - Auth Bypass

Title source: llm

Description

DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2.

Exploits (1)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/DataEase(CVE-2024-52295).py

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/dataease/dataease/commit/e755248d59543bcd668ace495f293ff735fa82e9

View Patch ZIP pw:eip

[Exploit, Vendor Advisory] https://github.com/dataease/dataease/security/advisories/GHSA-45v9-gfcv-xcq6

Scores

CVSS v3 9.8

EPSS 0.0069

EPSS Percentile 71.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-798

Status published

Products (1)

dataease/dataease < 2.10.2

Published Nov 13, 2024

Tracked Since Feb 18, 2026