216.73.216.86

CVE-2025-58045

· Published 15/09/2025 16:15 · Modified 16/09/2025 12:49

Labels: CVE-2025-58045 2025-09-15CVE-2025-58045CWE-918[email protected]

Essential information

Published
15/09/2025 16:15
Modified
16/09/2025 12:49
Author
Creator
CVSS
7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC connection string was not filtered, allowing attackers to exploit the DB2 JDBC connection string to trigger server-side request forgery (SSRF). In higher versions of Java, ldap deserialization (autoDeserialize) is disabled by default, preventing remote code execution, but SSRF remains exploitable. Versions up to 2.10.12 are affected. The issue is fixed in version 2.10.13. Updating to 2.10.13 or later is recommended. No known workarounds are documented aside from upgrading.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dataease / dataease cpe:2.3:a:dataease:dataease:<2.10.12:*:*:*:*:*:*:*
dataease / dataease cpe:2.3:a:dataease:dataease:2.10.13:*:*:*:*:*:*:*

References