Headline
CVE-2023-34463: Ordinary users can delete applications through unauthorized interface vulnerability
DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions Unauthorized users can delete an application erroneously. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Impact
Since the application deletion interface does not do authentication, ordinary users can delete the application through the unauthorized interface vulnerability.
- Administrators can view application modules
In the system administration module, administrators can upload applications
Ordinary users cannot view application modules
\backend\src\main\java\io\dataease\controller\panel\PanelAppTemplateController.java has a delete application interface /delete/{appTemplateId}, the interface is not identified
Using the administrator login, the following applications currently exist
Login with a normal user and call /delete/{appTemplateId} to pass in the application id
Login with administrator, the previously existing application has been deleted by the normal user
Affected versions: <= 1.18.7
Patches
The vulnerability has been fixed in v1.18.8.
Workarounds
It is recommended to upgrade the version to v1.18.8.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com
Affected versions: <= 1.18.7
Patches
The vulnerability has been fixed in v1.18.8.
Workarounds
It is recommended to upgrade the version to v1.18.8.
References
If you have any questions or comments about this advisory:
Open an issue in https://github.com/dataease/dataease
Email us at wei@fit2cloud.com