CVE-2023-35164 - Vulnerability Details - OpenCVE

DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Dataease	Dataease

Configuration 1 [-]

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj

History

Wed, 06 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-26T21:17:25.623Z

Updated: 2024-11-06T17:20:03.844Z

Reserved: 2023-06-14T14:17:52.179Z

Link: CVE-2023-35164

Vulnrichment

Updated: 2024-08-02T16:23:59.383Z

NVD

Status : Modified

Published: 2023-06-26T22:15:11.317

Modified: 2024-11-21T08:08:04.420

Link: CVE-2023-35164

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-35164", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-06-14T14:17:52.179Z", "datePublished": "2023-06-26T21:17:25.623Z", "dateUpdated": "2024-11-06T17:20:03.844Z"}, "containers": {"cna": {"title": "Unauthorized users can manipulate a dashboard created by an administrator in DataEase", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 1.18.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-26T21:17:25.623Z"}, "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-grxm-fc3h-3qgj", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.383Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj"}]}, {"affected": [{"vendor": "dataease", "product": "dataease", "cpes": ["cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.18.8", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-06T17:19:23.685947Z", "id": "CVE-2023-35164", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T17:20:03.844Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:23:59.383Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-35164", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-06T17:19:23.685947Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*"], "vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "0", "lessThan": "1.18.8", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T17:19:56.727Z"}}], "cna": {"title": "Unauthorized users can manipulate a dashboard created by an administrator in DataEase", "source": {"advisory": "GHSA-grxm-fc3h-3qgj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"status": "affected", "version": "< 1.18.8"}]}], "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj", "name": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-26T21:17:25.623Z"}}}, "cveMetadata": {"cveId": "CVE-2023-35164", "state": "PUBLISHED", "dateUpdated": "2024-11-06T17:20:03.844Z", "dateReserved": "2023-06-14T14:17:52.179Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-06-26T21:17:25.623Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "21DCEC86-16D9-4180-9088-06D6AD31EF93", "versionEndExcluding": "1.18.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source data visualization analysis tool to analyze data and gain insight into business trends. In affected versions a missing authorization check allows unauthorized users to manipulate a dashboard created by the administrator. This vulnerability has been fixed in version 1.18.8. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "DataEase es una herramienta de an\u00e1lisis de visualizaci\u00f3n de datos de c\u00f3digo abierto para analizar datos y obtener informaci\u00f3n sobre las tendencias empresariales. En las versiones afectadas, la falta de una comprobaci\u00f3n de autorizaci\u00f3n permite a usuarios no autorizados manipular un cuadro de mando creado por el administrador. Esta vulnerabilidad se ha corregido en la versi\u00f3n 1.18.8. Se recomienda a los usuarios que la actualicen. No se conocen soluciones para esta vulnerabilidad. "}], "id": "CVE-2023-35164", "lastModified": "2024-11-21T08:08:04.420", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-26T22:15:11.317", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}