CVE-2024-30269
published 2024-04-08CVE-2024-30269: DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting…
PriorityP178medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
16.00%
96.5th percentile
DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned. The vulnerability has been fixed in v2.5.0. No known workarounds are available aside from upgrading.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dataease | dataease | < 2.5.0 | 2.5.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit leverages a Spring Security authentication bypass via the semicolon suffix (`;.js`) appended to the API path, causing the security filter to treat the request as a static resource and skip authentication. ↗
- →The exploit extracts database credentials from the JSON response field path: `data.configuration` (a JSON string containing `username`, `password`, and `port`). ↗
- ·Vulnerability affects DataEase versions prior to 2.5.0 (confirmed tested on 2.4.0). The fix was introduced in v2.5.0; instances running any version < 2.5.0 are exposed. ↗
- ·EPSS score of 0.91873 (99.692nd percentile) indicates very high probability of exploitation in the wild; prioritize detection and patching accordingly. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
DataEase 2.4.0 - Database Configuration Information Exposure
exploitdb·2025-04-06·CVSS 5.3
CVE-2024-30269 [MEDIUM] DataEase 2.4.0 - Database Configuration Information Exposure
DataEase 2.4.0 - Database Configuration Information Exposure
---
# Exploit Title: DataEase 2.4.0 - Database Configuration Information Exposure
# Shodan Dork: http.html:"dataease" #
# FOFA Dork: body="dataease" && title=="DataEase" #
# Exploit Author: ByteHunter #
# Email: [email protected] #
# vulnerable Versions: 2.4.0-2.5.0 #
# Tested on: 2.4.0 #
# CVE : CVE-2024-30269 #
############################ #
################################################################
import argparse
import requests
import re
import json
from tqdm import tqdm
def create_vulnerability_checker():
vulnerable_count = 0
def check_vulnerability(url):
nonlocal vulnerable_count
endpoint = "/de2api/engine/getEngine;.js"
full_url = f"{url}{endpoint}"
headers = {
"Host": url.split('/')[2],
"Accept-Encoding":
Nuclei
DataEase <= 2.4.1 - Sensitive Information Exposure
nuclei·CVSS 5.3
CVE-2024-30269 [MEDIUM] DataEase <= 2.4.1 - Sensitive Information Exposure
DataEase <= 2.4.1 - Sensitive Information Exposure
DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned.
Template:
id: CVE-2024-30269
info:
name: DataEase <= 2.4.1 - Sensitive Information Exposure
author: s4e-io
severity: medium
description: |
DataEase, an open source data visualization and analysis tool, has a database configuration information exposure vulnerability prior to version 2.5.0. Visiting the `/de2api/engine/getEngine;.js` path via a browser reveals that the platform's database configuration is returned.
impact: |
Attackers can access sensitive configura
No writeups or analysis indexed.
2024-04-08
Published
Exploited in the wild