PT-2024-35161 · Dataease · Dataease
Springkill
+1
·
Published
2024-11-13
·
Updated
2025-02-20
·
CVE-2024-52295
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
DataEase versions prior to 2.10.2
Description
The issue allows attackers to forge JWT and take over services due to the JWT secret being hardcoded in the code. Additionally, the UID and OID are also hardcoded. This has been fixed in version 2.10.2.
Recommendations
For versions prior to 2.10.2, update to version 2.10.2 to resolve the issue. As a temporary workaround, consider restricting access to services that use the hardcoded JWT secret until the update is applied.
Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dataease