CVE-2024-56511

Name of the Vulnerable Software and Affected Versions DataEase versions prior to 2.10.4

Description DataEase is an open source data visualization analysis tool. There is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which can be bypassed and cause the risk of unauthorized access. The vulnerability stems from inadequate URL filtering, potentially compromising data security. In the io.dataease.auth.filter.TokenFilter class, request.getRequestURI is used to obtain the request URL, and it is passed to the WhitelistUtils.match method to determine whether the URL request is an interface that does not require authentication. The match method filters semicolons, but this is not enough. When users set server.servlet.context-path when deploying products, there is still a risk of being bypassed, which can be bypassed by any whitelist prefix /geo/../context-path/.

Recommendations To resolve the issue, update to version 2.10.4 or later. As a temporary workaround, consider restricting access to the vulnerable io.dataease.auth.filter.TokenFilter class until a patch is available. Avoid using the server.servlet.context-path configuration when deploying products until the issue is resolved.