CVE-2025-46566
Published: 01 May 2025
Summary
CVE-2025-46566 is a medium-severity Improper Access Control (CWE-284) vulnerability in Dataease Dataease. Its CVSS base score is 6.8 (Medium).
Operationally, ranked in the top 39.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-13290
Vulnerability details
DataEase is an open-source BI tool alternative to Tableau. Prior to version 2.10.9, authenticated users can complete RCE through the backend JDBC link. This issue has been patched in version 2.10.9.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.
Requiring formal approval, documented controls, and responsibilities for inter-system exchanges directly enforces proper access control between systems.
Enforces physical-layer access control on transmission resources, reducing the ability to reach or manipulate them outside intended boundaries.
Requiring external providers to implement and be monitored against organizational access-control requirements directly reduces the likelihood of improper access control across trust boundaries.
Authorizing and controlling VoIP use directly enforces access control decisions over a distinct communication technology.
Role separation implements access control boundaries between internal and external name resolution services.
Disabling or removing ports and I/O devices directly enforces hardware-level access control by eliminating entry points.
Cross-domain policy enforcement implements mandatory access control at domain boundaries, directly preventing unauthorized interactions across security domains.