Primary

Context

DataEase JWT Forgery Vulnerability Due to Secret Verification Bypass

Vulnerability

Patched

A vulnerability allowing JWT token forgery has been identified in DataEase versions prior to 2.10.10. The issue arises because secret verification is not properly enforced, enabling users to create tokens without valid secrets. This flaw has been addressed in version 2.10.10.

Impact

Exploitation of this vulnerability allows for unauthorized JWT token creation, which could be used to impersonate users or gain unauthorized access to resources.

Reproduction

To reproduce this vulnerability, send a request including a JWT token in the X-DE-TOKEN header. The token can be forged using any secret, as the application does not properly validate the token's authenticity before processing the request.

Remediation

Users are advised to upgrade to DataEase version 2.10.10 or later.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.0

remediation

7.7

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

6.0

remediation

7.7

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DataEase JWT Forgery Vulnerability Due to Secret Verification Bypass

Vulnerability

Impact

Reproduction

Remediation

Affected Products

DataEase

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating