cbcvebase.
CVE-2024-47073
published 2024-11-07

CVE-2024-47073: DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions…

PriorityP266critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
1.22%
65.0th percentile
DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions a the lack of signature verification of jwt tokens allows attackers to forge jwts which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
dataeasedataease< 2.10.22.10.2

Detection & IOCsextracted from sources · hover to see the quote

url/de2api/user/info
otherX-DE-TOKEN: <forged_jwt>
other{"uid":1,"oid":1,"exp":<unix_time+1000>} signed with HS256 and arbitrary/random secret
  • Detect exploitation attempts by monitoring HTTP requests to /de2api/user/info (or any /de2api/* endpoint) carrying an X-DE-TOKEN header containing a JWT signed with an arbitrary/random secret (HS256 algorithm). A forged token with uid=1 and oid=1 is the canonical PoC payload.
  • Alert on HTTP 200 responses to /de2api/user/info that contain both '"oid":"1"' and 'data' and 'code' in the response body, indicating successful JWT forgery and authentication bypass.
  • Use Shodan/FOFA queries to identify exposed DataEase instances as potential targets: Shodan: http.html:"dataease", FOFA: body="dataease".
  • The vulnerability is unauthenticated (PR:N, UI:N) and network-reachable (AV:N), with EPSS score of 0.56105 (98th percentile), indicating active exploitation likelihood. Prioritize patching all DataEase instances below v2.10.2.
  • ·The JWT forgery works because DataEase does NOT verify the JWT signature — any HS256 token signed with a random/arbitrary secret is accepted. Detection logic must therefore focus on the presence of the X-DE-TOKEN header and the forged payload structure rather than signature validity.
  • ·The PoC uses uid=1 and oid=1 (superuser/admin identifiers). Defenders should also watch for other uid/oid values in forged tokens, as any value may be accepted by the vulnerable endpoint.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.