CVE-2025-53006

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like "socketfactory" and "socketfactoryarg", there are also "sslfactory" and "sslfactoryarg" with similar functionality. The difference lies in that "sslfactory" and related parameters need to be triggered after establishing the connection. Other similar parameters include "sslhostnameverifier", "sslpasswordcallback", and "authenticationPluginClassName". This issue has been patched in 2.10.11.

CVSS

No CVSS.

References

Link	Resource
https://github.com/dataease/dataease/security/advisories/GHSA-q726-5pr9-x7gm

Configurations

No configuration.

History

03 Jul 2025, 15:13

Type	Values Removed	Values Added
Summary		(es) DataEase es una herramienta de código abierto para inteligencia empresarial y visualización de datos. Antes de la versión 2.10.11, tanto en PostgreSQL como en Redshift, además de parámetros como "socketfactory" y "socketfactoryarg", también existían "sslfactory" y "sslfactoryarg" con funcionalidades similares. La diferencia radica en que "sslfactory" y sus parámetros relacionados deben activarse tras establecer la conexión. Otros parámetros similares incluyen "sslhostnameverifier", "sslpasswordcallback" y "authenticationPluginClassName". Este problema se ha corregido en la versión 2.10.11.

02 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-02 15:15

Updated : 2025-07-03 15:13

NVD link : CVE-2025-53006

Mitre link : CVE-2025-53006

CVE.ORG link : CVE-2025-53006

JSON object : View

Products Affected

No product.

CWE

CWE-153

Improper Neutralization of Substitution Characters

{"id": "CVE-2025-53006", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-02T15:15:27.343", "references": [{"url": "https://github.com/dataease/dataease/security/advisories/GHSA-q726-5pr9-x7gm", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-153"}]}], "descriptions": [{"lang": "en", "value": "DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like \"socketfactory\" and \"socketfactoryarg\", there are also \"sslfactory\" and \"sslfactoryarg\" with similar functionality. The difference lies in that \"sslfactory\" and related parameters need to be triggered after establishing the connection. Other similar parameters include \"sslhostnameverifier\", \"sslpasswordcallback\", and \"authenticationPluginClassName\". This issue has been patched in 2.10.11."}, {"lang": "es", "value": "DataEase es una herramienta de c\u00f3digo abierto para inteligencia empresarial y visualizaci\u00f3n de datos. Antes de la versi\u00f3n 2.10.11, tanto en PostgreSQL como en Redshift, adem\u00e1s de par\u00e1metros como \"socketfactory\" y \"socketfactoryarg\", tambi\u00e9n exist\u00edan \"sslfactory\" y \"sslfactoryarg\" con funcionalidades similares. La diferencia radica en que \"sslfactory\" y sus par\u00e1metros relacionados deben activarse tras establecer la conexi\u00f3n. Otros par\u00e1metros similares incluyen \"sslhostnameverifier\", \"sslpasswordcallback\" y \"authenticationPluginClassName\". Este problema se ha corregido en la versi\u00f3n 2.10.11."}], "lastModified": "2025-07-03T15:13:53.147", "sourceIdentifier": "security-advisories@github.com"}