CVE-2024-23328
- Reference to the description:
- Description:
- Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is `core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java.` The blacklist of mysql jdbc attacks can be bypassed and attackers can further exploit it for deserialized execution or reading arbitrary files. This vulnerability is patched in 1.18.15 and 2.3.0.
- Last updated date:
- 01/08/2025
- Type:
- exploit
- Confidence:
- HIGH
- Date of publishing:
- 01/08/2025
- Reference url to background
https://github.com/dataease/dataease/security/advisories/GHSA-8x8q-p622-jf25