CVE-2024-31441: Arbitrary File Reading in DataEase
First published: Fri May 10 2024(Updated: )
DataEase is an open source data visualization analysis tool. Due to the lack of restrictions on the connection parameters for the ClickHouse data source, it is possible to exploit certain malicious parameters to achieve arbitrary file reading. The vulnerability has been fixed in v1.18.19.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dataease | <1.18.19 | |
| Dataease | <1.18.19 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-31441?
The severity of CVE-2024-31441 is high due to the potential for arbitrary file reading on compromised systems.
How do I fix CVE-2024-31441?
To fix CVE-2024-31441, update DataEase to version 1.1 or later to mitigate the vulnerability.
What systems are affected by CVE-2024-31441?
CVE-2024-31441 affects DataEase versions prior to 1.18.19.
Can CVE-2024-31441 lead to data leakage?
Yes, CVE-2024-31441 can lead to data leakage through arbitrary file reading if exploited.
Is CVE-2024-31441 exploitable remotely?
Yes, CVE-2024-31441 can be exploited remotely due to inadequate restrictions on connection parameters.
- agent/weakness
- agent/references
- agent/description
- agent/title
- agent/first-publish-date
- agent/type
- agent/severity
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/last-modified-date
- agent/tags
- agent/event
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- vendor/dataease
- canonical/dataease