CVE-2025-48998

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. No known workarounds are available.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692	Not Applicable
https://github.com/dataease/dataease/security/advisories/GHSA-v4gg-8rp3-ccjx	Exploit Vendor Advisory
https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

History

09 Jun 2025, 15:13

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692 -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692 - Not Applicable
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-v4gg-8rp3-ccjx -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-v4gg-8rp3-ccjx - Exploit, Vendor Advisory
CPE		cpe:2.3:a:dataease:dataease::::::::
First Time		Dataease Dataease dataease
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

04 Jun 2025, 14:54

Type	Values Removed	Values Added
Summary		(es) DataEase es una herramienta de código abierto de inteligencia empresarial y visualización de datos. Antes de la versión 2.10.6, una omisión del parche para CVE-2025-27103 permitía a los usuarios autenticados leer y deserializar archivos arbitrarios mediante la conexión JDBC en segundo plano. La vulnerabilidad se ha corregido en la versión 2.10.10. No se conocen workarounds.

03 Jun 2025, 21:15

Type	Values Removed	Values Added
References	~~() https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692 -~~	() https://github.com/dataease/dataease/security/advisories/GHSA-2wfc-qwx7-w692 -

03 Jun 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-03 19:15

Updated : 2025-06-09 15:13

NVD link : CVE-2025-48998

Mitre link : CVE-2025-48998

CVE.ORG link : CVE-2025-48998

JSON object : View

Products Affected

dataease

dataease

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-862

Missing Authorization

NVD-CWE-noinfo

8.8 /10