DataEase is an open source business analytics tool. Authenticated users can read and deserialize arbitrary files through the background JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. This vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability.
                
            Metrics
Affected Vendors & Products
References
        History
                    Mon, 14 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Thu, 20 Feb 2025 16:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Dataease Dataease dataease | |
| CPEs | cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:* | |
| Vendors & Products | Dataease Dataease dataease | |
| Metrics | cvssV3_1 
 | 
Wed, 18 Dec 2024 20:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Wed, 18 Dec 2024 19:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | DataEase is an open source business analytics tool. Authenticated users can read and deserialize arbitrary files through the background JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. This vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |
| Title | Dataease Mysql JDBC Connection Parameters Not Verified Leads to Deserialization and Arbitrary File Read Vulnerability | |
| Weaknesses | CWE-89 | |
| References |  | |
| Metrics | cvssV4_0 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-12-18T18:49:21.632Z
Updated: 2024-12-18T19:16:27.090Z
Reserved: 2024-12-13T17:47:38.371Z
Link: CVE-2024-55953
 Vulnrichment
                        Vulnrichment
                    Updated: 2024-12-18T19:08:19.064Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2024-12-18T19:15:12.067
Modified: 2025-02-20T16:25:07.667
Link: CVE-2024-55953
 Redhat
                        Redhat
                    No data.