This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **DataEase Info Leak!** * **Essence:** A critical security flaw in DataEase (open-source BI tool). * **Consequence:** Attackers can view sensitive **database configurations** via a specific URL path. * **Impact:β¦
π‘οΈ **CWE-200: Exposure of Sensitive Information.** * **The Flaw:** Improper handling of the URL path `/de2api/engine/getEngine;.js`. * **Root Cause:** The server exposes internal config data when this specific endpoβ¦
π₯ **Affected Versions:** * **Product:** DataEase. * **Version:** **Prior to v2.5.0**. * **Status:** If you are running v2.4.x or earlier, you are at risk! β οΈ
π **Self-Check Method:** * **Manual:** Visit `http://<target>/de2api/engine/getEngine;.js`. * **Check:** If you see JSON/XML with DB credentials/configs, you are vulnerable. * **Automated:** Use Nuclei or similar β¦
π§ **No Patch? Mitigate Now.** * **WAF:** Block requests to `/de2api/engine/getEngine;.js`. * **Network:** Restrict access to the `/de2api/` endpoint. * **Config:** Rotate DB credentials immediately if exposed. π
Q10Is it urgent? (Priority Suggestion)
π₯ **Priority: HIGH.** * **CVSS:** 5.3 (Medium), but **Zero-Auth** makes it dangerous. * **Urgency:** Patch immediately. DB configs are gold for attackers. * **Action:** Upgrade to v2.5.0 ASAP. πββοΈπ¨