TROYANOSYVIRUS
Voltar para CVEs

CVE-2025-58045

CRITICAL
9.8

Descricao

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC connection string was not filtered, allowing attackers to exploit the DB2 JDBC connection string to trigger server-side request forgery (SSRF). In higher versions of Java, ldap deserialization (autoDeserialize) is disabled by default, preventing remote code execution, but SSRF remains exploitable. Versions up to 2.10.12 are affected. The issue is fixed in version 2.10.13. Updating to 2.10.13 or later is recommended. No known workarounds are documented aside from upgrading.

Detalhes CVE

Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado9/15/2025
Ultima modificacao9/19/2025
Fontenvd
Avistamentos honeypot0

Produtos afetados

dataease:dataease

Fraquezas (CWE)

CWE-918

Referencias

https://github.com/dataease/dataease/commit/77078658715bd85af5867afbfd5f1fcc37cf03c8(security-advisories@github.com)
https://github.com/dataease/dataease/security/advisories/GHSA-fmq3-6xhc-r845(security-advisories@github.com)
https://github.com/dataease/dataease/security/advisories/GHSA-fmq3-6xhc-r845(134c704f-9b21-4f2e-91b3-4a467353bcc0)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.