Dataease before 1.18.15/2.3.0 Deserialization Vulnerability in MySQL Datasource
CVE-2024-23328 Published on February 29, 2024
The Dataease datasource exists deserialization and arbitrary file read vulnerability
Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java.` The blacklist of mysql jdbc attacks can be bypassed and attackers can further exploit it for deserialized execution or reading arbitrary files. This vulnerability is patched in 1.18.15 and 2.3.0.
Vulnerability Analysis
CVE-2024-23328 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2024-23328 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2024-23328
Want to know whenever a new CVE is published for Dataease? stack.watch will email you.
Affected Versions
dataease:- Version < 1.18.15 is affected.
- Version >= 2.0.0, < 2.3.0 is affected.
- Before 1.18.15 is affected.
- Version 2.0.0 and below 2.3.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.