{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-53006","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-06-24T03:50:36.795Z","datePublished":"2025-07-02T14:22:31.107Z","dateUpdated":"2025-07-02T14:37:30.510Z"},"containers":{"cna":{"title":"Dataease PostgreSQL & Redshift Data Source JDBC Connection Parameters Bypass Vulnerability","problemTypes":[{"descriptions":[{"cweId":"CWE-153","lang":"en","description":"CWE-153: Improper Neutralization of Substitution Characters","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":8.9,"baseSeverity":"HIGH","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P","version":"4.0"}}],"references":[{"name":"https://github.com/dataease/dataease/security/advisories/GHSA-q726-5pr9-x7gm","tags":["x_refsource_CONFIRM"],"url":"https://github.com/dataease/dataease/security/advisories/GHSA-q726-5pr9-x7gm"}],"affected":[{"vendor":"dataease","product":"dataease","versions":[{"version":"< 2.10.11","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-07-02T14:22:31.107Z"},"descriptions":[{"lang":"en","value":"DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like \"socketfactory\" and \"socketfactoryarg\", there are also \"sslfactory\" and \"sslfactoryarg\" with similar functionality. The difference lies in that \"sslfactory\" and related parameters need to be triggered after establishing the connection. Other similar parameters include \"sslhostnameverifier\", \"sslpasswordcallback\", and \"authenticationPluginClassName\". This issue has been patched in 2.10.11."}],"source":{"advisory":"GHSA-q726-5pr9-x7gm","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-07-02T14:36:35.823694Z","id":"CVE-2025-53006","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-07-02T14:37:30.510Z"}}]}}