Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-35164: Normal users can manipulate the dashboard created by the administrator

DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE
Open in Source
#vulnerability#git#java#auth

Impact

Normal users can manipulate the dashboard created by the administrator.

  1. Administrator login to rename the dashboard directory

  2. Normal user does not have permission to modify the dashboard directory

  3. Code Location:
    https://github.com/dataease/dataease/blob/dev/backend/src/main/java/io/dataease/controller/panel/PanelGroupController.java#L90

  4. Checking the administrator’s interface code for renaming the dashboard directory, according to the aop annotation above @PostMapping(“/update”), we know that only level 1 permission is required to manipulate the id data

  5. So call @PostMapping(“/update”) with a demo user with level 1, and you can also modify the dashboard

Affected versions: <= 1.18.7

Patches

The vulnerability has been fixed in v1.18.8.

Workarounds

It is recommended to upgrade the version to v1.18.8.

References

If you have any questions or comments about this advisory:

Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE