漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
DataEase: Link Token Leakage Prior to Share Password/Ticket Validation
Vulnerability Description
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid link token for subsequent share-related API calls even with missing or invalid credentials. This issue is fixed in version 2.10.24.
CVSS Information
N/A
Vulnerability Type
授权机制不正确
Vulnerability Title
DataEase 授权问题漏洞
Vulnerability Description
DataEase是Dataease组织开源的一个开源的数据可视化分析工具。用于帮助用户快速分析数据并洞察业务趋势,从而实现业务的改进与优化。 DataEase 2.10.24之前版本存在授权问题漏洞,该漏洞源于/share/proxyInfo接口在验证分享密码或票据之前生成并返回X-DE-LINK-TOKEN,允许知道受保护分享UUID的未经验证攻击者即使凭据缺失或无效也能获取有效链接令牌。
CVSS Information
N/A
Vulnerability Type
N/A