CVE-2023-35164

DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj	Exploit Vendor Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:08

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 6.3
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj - Exploit, Vendor Advisory~~	() https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj - Exploit, Vendor Advisory

05 Jul 2023, 18:17

Type	Values Removed	Values Added
First Time		Dataease Dataease dataease
References	~~(MISC) https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj -~~	(MISC) https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:dataease:dataease::::::::

26 Jun 2023, 22:22

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-26 22:15

Updated : 2024-11-21 08:08

NVD link : CVE-2023-35164

Mitre link : CVE-2023-35164

CVE.ORG link : CVE-2023-35164

JSON object : View

Products Affected

dataease

dataease

CWE

CWE-862

Missing Authorization

{"id": "CVE-2023-35164", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-06-26T22:15:11.317", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "DataEase es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto para analizar datos y obtener informaci\u00f3n sobre las tendencias empresariales. En las versiones afectadas, la falta de una comprobaci\u00f3n de autorizaci\u00f3n permite a usuarios no autorizados manipular un cuadro de mando creado por el administrador. Esta vulnerabilidad se ha corregido en la versi\u00f3n 1.18.8. Se recomienda a los usuarios que la actualicen. No se conocen soluciones para esta vulnerabilidad. "}], "lastModified": "2024-11-21T08:08:04.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "21DCEC86-16D9-4180-9088-06D6AD31EF93", "versionEndExcluding": "1.18.8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}