CVE-2024-47073: Dataease arbitrary interface access vulnerability
First published: Thu Nov 07 2024(Updated: )
DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions a the lack of signature verification of jwt tokens allows attackers to forge jwts which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dataease | <2.10.2 | |
| Dataease | <2.10.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2024-47073?
CVE-2024-47073 has a high severity due to the risk of unauthorized access through forged JWT tokens.
How do I fix CVE-2024-47073?
To fix CVE-2024-47073, you should upgrade DataEase to version 2.10.2 or later, which includes proper JWT signature verification.
What versions of DataEase are affected by CVE-2024-47073?
CVE-2024-47073 affects all versions of DataEase prior to 2.10.2.
What type of vulnerability is CVE-2024-47073?
CVE-2024-47073 is classified as a JWT signature verification vulnerability.
What can attackers do with CVE-2024-47073?
Attackers can exploit CVE-2024-47073 to forge JWT tokens, allowing them to gain unauthorized access to system interfaces.
- agent/weakness
- agent/references
- agent/title
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/guess-ai
- agent/softwarecombine
- vendor/dataease
- canonical/dataease