cbcvebase.
CVE-2024-30269
published 2024-04-08

CVE-2024-30269: DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting…

PriorityP178medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.00%
96.5th percentile
DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading.

Affected

1 ranges
VendorProductVersion rangeFixed in
dataeasedataease< 2.5.02.5.0

Detection & IOCsextracted from sources · hover to see the quote

url/de2api/engine/getEngine;.js
path/de2api/engine/getEngine;.js
  • The exploit leverages a Spring Security authentication bypass via the semicolon suffix (`;.js`) appended to the API path, causing the security filter to treat the request as a static resource and skip authentication.
  • The exploit extracts database credentials from the JSON response field path: `data.configuration` (a JSON string containing `username`, `password`, and `port`).
  • ·Vulnerability affects DataEase versions prior to 2.5.0 (confirmed tested on 2.4.0). The fix was introduced in v2.5.0; instances running any version < 2.5.0 are exposed.
  • ·EPSS score of 0.91873 (99.692nd percentile) indicates very high probability of exploitation in the wild; prioritize detection and patching accordingly.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.