cve-2024-30269
Vulnerability from cvelistv5
Published
2024-04-08 14:19
Modified
2024-08-02 01:32
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading.
References
security-advisories@github.comhttps://github.com/dataease/dataease/releases/tag/v2.5.0
security-advisories@github.comhttps://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5
af854a3a-2127-422b-91ae-364da2661108https://github.com/dataease/dataease/releases/tag/v2.5.0
af854a3a-2127-422b-91ae-364da2661108https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dataease",
            "vendor": "dataease",
            "versions": [
              {
                "lessThan": "2.5.0",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-30269",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-04-09T14:45:53.286254Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-31T19:26:07.521Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:32:07.018Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5"
          },
          {
            "name": "https://github.com/dataease/dataease/releases/tag/v2.5.0",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/dataease/dataease/releases/tag/v2.5.0"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "dataease",
          "vendor": "dataease",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform\u0027s database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-04-08T14:19:56.293Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5"
        },
        {
          "name": "https://github.com/dataease/dataease/releases/tag/v2.5.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/dataease/dataease/releases/tag/v2.5.0"
        }
      ],
      "source": {
        "advisory": "GHSA-8gvx-4qvj-6vv5",
        "discovery": "UNKNOWN"
      },
      "title": "DataEase has database configuration information exposure vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-30269",
    "datePublished": "2024-04-08T14:19:56.293Z",
    "dateReserved": "2024-03-26T12:52:00.935Z",
    "dateUpdated": "2024-08-02T01:32:07.018Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-30269\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-04-08T15:15:07.820\",\"lastModified\":\"2024-11-21T09:11:35.500\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform\u0027s database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading.\"},{\"lang\":\"es\",\"value\":\"DataEase, una herramienta de an\u00e1lisis y visualizaci\u00f3n de datos de c\u00f3digo abierto, tiene una vulnerabilidad de exposici\u00f3n de informaci\u00f3n de configuraci\u00f3n de base de datos anterior a la versi\u00f3n 2.5.0. Visitar la ruta `/de2api/engine/getEngine;.js` a trav\u00e9s de un navegador revela que se devuelve la configuraci\u00f3n de la base de datos de la plataforma. La vulnerabilidad se ha solucionado en v2.5.0. No hay workarounds disponibles aparte de la actualizaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/dataease/dataease/releases/tag/v2.5.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/dataease/dataease/releases/tag/v2.5.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/dataease/dataease/security/advisories/GHSA-8gvx-4qvj-6vv5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.