CVE-2024-46985

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-46985

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-46985.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-46985

Aliases

GHSA-4m9p-7xg6-f4mm

Published

2024-09-23T16:15:06Z

Modified

2025-02-19T03:38:56.702017Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, there is an XML external entity injection vulnerability in the static resource upload interface of DataEase. An attacker can construct a payload to implement intranet detection and file reading. The vulnerability has been fixed in v2.10.1.

References

https://github.com/dataease/dataease/security/advisories/GHSA-4m9p-7xg6-f4mm

Affected packages

Git / github.com/dataease/dataease

Affected ranges

Type: GIT
Repo: https://github.com/dataease/dataease
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

51d201f084fa9ac06b5fc15fb5b8f064b1a2789e

Affected versions

v1.*

v1.0.0

v1.0.0-rc1

v1.0.0-rc2

v1.11.0

v1.11.1

v1.2.0

v1.3.0

v1.5.0

v1.5.1

v1.5.2

v1.6.0

v1.8.0

v1.9.0

v2.*

v2.10.0

v2.2.0

v2.3.0

v2.4.0

v2.6.0

v2.9.0