CVE-2023-28437 - Vulnerability Details - OpenCVE

Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dataease	Dataease

Configuration 1 [-]

cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/dataease/dataease/issues/4795
https://github.com/dataease/dataease/releases/tag/v1.18.5
https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-24T23:43:15.992Z

Updated: 2024-08-02T12:38:25.347Z

Reserved: 2023-03-15T15:59:10.054Z

Link: CVE-2023-28437

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-03-25T00:15:08.243

Modified: 2024-11-21T07:55:03.900

Link: CVE-2023-28437

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28437", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-03-15T15:59:10.054Z", "datePublished": "2023-03-24T23:43:15.992Z", "dateUpdated": "2024-08-02T12:38:25.347Z"}, "containers": {"cna": {"title": "SQL injection vulnerability due to the keyword blacklist for defending against SQL injection will be bypassed", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56"}, {"name": "https://github.com/dataease/dataease/issues/4795", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/dataease/issues/4795"}, {"name": "https://github.com/dataease/dataease/releases/tag/v1.18.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/dataease/dataease/releases/tag/v1.18.5"}], "affected": [{"vendor": "dataease", "product": "dataease", "versions": [{"version": "< 1.18.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-24T23:43:15.992Z"}, "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds. "}], "source": {"advisory": "GHSA-7j7j-9rw6-3r56", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:25.347Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56"}, {"name": "https://github.com/dataease/dataease/issues/4795", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dataease/dataease/issues/4795"}, {"name": "https://github.com/dataease/dataease/releases/tag/v1.18.5", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/dataease/dataease/releases/tag/v1.18.5"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*", "matchCriteriaId": "2A6525A4-9AFC-4166-83A7-7986DA122308", "versionEndExcluding": "1.18.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dataease is an open source data visualization and analysis tool. The blacklist for SQL injection protection is missing entries. This vulnerability has been fixed in version 1.18.5. There are no known workarounds. "}], "id": "CVE-2023-28437", "lastModified": "2024-11-21T07:55:03.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-03-25T00:15:08.243", "references": [{"source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/issues/4795"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/dataease/dataease/releases/tag/v1.18.5"}, {"source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/issues/4795"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/dataease/dataease/releases/tag/v1.18.5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/dataease/dataease/security/advisories/GHSA-7j7j-9rw6-3r56"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "[email protected]", "type": "Secondary"}]}