SB2023062611 - Multiple vulnerabilities in DataEase

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2023-35164)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can manipulate the dashboard created by the administrator.

2) Information disclosure (CVE-ID: CVE-2023-35168)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a privilege bypass issue. A remote user can gain unauthorized access to sensitive information on the system.

3) Improper access control (CVE-ID: CVE-2023-34463)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the application deletion interface. A remote user can bypass implemented security restrictions and delete the application.

Remediation

Install update from vendor's website.

References

• https://github.com/dataease/dataease/security/advisories/GHSA-grxm-fc3h-3qgj
• https://github.com/dataease/dataease/security/advisories/GHSA-c2r2-68p6-73xv
• https://github.com/dataease/dataease/security/advisories/GHSA-4c4p-qfwq-85fj