Cyber Resilience

CVE-2024-46997

CriticalPublic PoC

Published: 23 September 2024

Published
23 September 2024
Modified
07 October 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1893 95.5th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-46997 is a critical-severity Injection (CWE-74) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

DataEase, an open source data visualization analysis tool, contains a remote command execution vulnerability in versions prior to 2.10.1. The flaw, tracked as CVE-2024-46997 and assigned CWE-74, allows an attacker to supply a maliciously crafted H2 database connection string that results in arbitrary command execution on the server. The issue carries a CVSS 3.1 score of 9.8, reflecting network-accessible exploitation without authentication or user interaction.

An unauthenticated attacker with network access can add the malicious data source through the application's normal connection configuration workflow, achieving full control over the underlying host including the ability to read, modify, or delete data and execute system commands. Because the vector requires no privileges, the impact extends to any internet-exposed or internally reachable DataEase instance that accepts user-supplied data sources.

The official advisory published in the DataEase GitHub repository states that the vulnerability has been resolved in version 2.10.1; administrators are advised to upgrade immediately and to restrict or review any existing H2 data source definitions until patches are applied.

EPSS for the CVE rose from a low baseline to a peak of 0.2129, indicating that exploitation interest emerged after public disclosure and that the issue warrants renewed defensive attention.

EU & UK References

Vulnerability details

DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dataease
dataease
≤ 2.10.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References