CVE-2025-57773
BaseFortify
Publication date: 2025-08-25
Last updated on: 2025-09-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dataease | dataease | to 2.10.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in DataEase prior to version 2.10.12 allows a JNDI injection attack because DB2 parameters are not filtered. The JNDI injection triggers an AspectJWeaver deserialization attack, which can write to various files on the system. This attack requires specific libraries: commons-collections 4.x and aspectjweaver-1.9.22.jar. The issue has been fixed in version 2.10.12.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized file writes on the affected system, potentially allowing attackers to execute arbitrary code or alter system files. This can compromise the integrity and security of the system running DataEase, leading to data breaches or system compromise.
What immediate steps should I take to mitigate this vulnerability?
Upgrade DataEase to version 2.10.12 or later, as this version contains the fix for the JNDI injection vulnerability. Additionally, ensure that the vulnerable libraries commons-collections 4.x and aspectjweaver-1.9.22.jar are not used or are updated to secure versions.