CVE-2024-52295: DataEase has a forged JWT token vulnerability
First published: Wed Nov 13 2024(Updated: )
DataEase is an open source data visualization analysis tool. Prior to 2.10.2, DataEase allows attackers to forge jwt and take over services. The JWT secret is hardcoded in the code, and the UID and OID are hardcoded. The vulnerability has been fixed in v2.10.2.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Dataease | <2.10.2 | |
| Dataease | <2.10.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-52295?
CVE-2024-52295 is considered a high severity vulnerability due to its ability to allow attackers to forge JWTs and take over services.
How do I fix CVE-2024-52295?
To fix CVE-2024-52295, upgrade DataEase to version 2.10.2 or later where the vulnerability is patched.
What are the potential consequences of CVE-2024-52295?
Exploiting CVE-2024-52295 could lead to unauthorized access and control over services using DataEase.
Which versions of DataEase are affected by CVE-2024-52295?
CVE-2024-52295 affects all versions of DataEase prior to 2.10.2.
Is there a workaround for CVE-2024-52295?
There are no known workarounds for CVE-2024-52295; the recommended action is to upgrade to the fixed version.
- agent/title
- agent/weakness
- agent/references
- agent/description
- agent/type
- agent/first-publish-date
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/source
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/guess-ai
- agent/softwarecombine
- vendor/dataease
- canonical/dataease