← Retour aux CVEs

CVE-2025-64428

CRITICAL

9.8

Description

Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname schemes. The vulnerability has been fixed in version 2.10.17.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie11/20/2025

Derniere modification11/24/2025

Sourcenvd

Observations honeypot0

Produits affectes

dataease:dataease

Faiblesses (CWE)

CWE-74

References

https://github.com/dataease/dataease/commit/b7e585c1cc3fc2b73cb289b8680b4b3914be3d53(security-advisories@github.com)

https://github.com/dataease/dataease/releases/tag/v2.10.17(security-advisories@github.com)

https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h(security-advisories@github.com)

https://github.com/dataease/dataease/security/advisories/GHSA-88ph-3236-2m2h(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.