DataEase is vulnerable to Oracle JNDI Injection_CVE-2025-64164

8.9 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

Dataease is an open source data visualization analysis tool. In versions 2.10.14 and below, DataEase did not properly filter when establishing JDBC connections to Oracle, resulting in a risk of JNDI injection (Java Naming and Directory Interface injection). This issue is fixed in version 2.10.15.

AI Analysis

JNDI injection vulnerability in DataEase when establishing JDBC connections to Oracle

Basic Information

ID CVE-2025-64164

Source GitHub_M

Published Nov 6, 2025 at 00:07

Affected Product

Vendor dataease

Product dataease

Version < 2.10.15

Affected Versions dataease dataease < 2.10.15

CWE Classification

CWE-502

AI Assessment

AI Score 8.9 / 10

AI Severity High

Vendor DataEase

Product DataEase

Version 2.10.14 and below

References

{
    "lastseen": "",
    "description": "Dataease is an open source data visualization analysis tool. In versions 2.10.14 and below, DataEase did not properly filter when establishing JDBC connections to Oracle, resulting in a risk of JNDI injection (Java Naming and Directory Interface injection). This issue is fixed in version 2.10.15.",
    "published": "2025-11-06T00:07:58.592Z",
    "modified": "2025-11-06T00:07:58.592Z",
    "type": "cve",
    "title": "DataEase is vulnerable to Oracle JNDI Injection",
    "source": "GitHub_M",
    "references": "https://github.com/dataease/dataease/security/advisories/GHSA-q754-4pc2-wjqw\nhttps://github.com/dataease/dataease/commit/7b68eb3dfccbbd12ec977e6320dbd3e32a7bbfe6\nhttps://github.com/dataease/dataease/releases/tag/v2.10.15",
    "id": "CVE-2025-64164",
    "bulletinFamily": "",
    "cwe": [
        "CWE-502"
    ],
    "cvelist": null,
    "sourceData": "dataease dataease < 2.10.15",
    "sourceHref": "",
    "cvss": {
        "score": 8.9,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "dataease",
    "version": "< 2.10.15",
    "vendor": "dataease",
    "ai_description": "JNDI injection vulnerability in DataEase when establishing JDBC connections to Oracle",
    "ai_severity": "High",
    "ai_vendor": "DataEase",
    "ai_product": "DataEase",
    "ai_version": "2.10.14 and below",
    "ai_score": 8.9
}