- Description
- DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which can be bypassed and cause the risk of unauthorized access. In the io.dataease.auth.filter.TokenFilter class, ”request.getRequestURI“ is used to obtain the request URL, and it is passed to the "WhitelistUtils.match" method to determine whether the URL request is an interface that does not require authentication. The "match" method filters semicolons, but this is not enough. When users set "server.servlet.context-path" when deploying products, there is still a risk of being bypassed, which can be bypassed by any whitelist prefix /geo/../context-path/. The vulnerability has been fixed in v2.10.4.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-289
- nvd@nist.gov
- NVD-CWE-Other
- Hype score
- Not currently trending
🚨 A critical vulnerability (CVE-2024-56511) in DataEase allows unauthorized data access due to improper URL filtering. A CVSSv4 score of 9.3 emphasizes the urgency to upgrade to version 2.10.4! 🇺🇸 #DataBreach #OpenSource #DataEase #CybersecurityNews li… https://t.co/EcSLT2yYL
@TweetThreatNews
15 Jan 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2024-56511: CRITICAL] DataEase tool had an authentication flaw pre-v2.10.4, allowing unauthorized access. The issue stemmed from inadequate URL filtering, potentially compromising data security.#cybersecurity,#vulnerability https://t.co/Q2siuA9n8y https://t.co/pv6szNbF0A
@CveFindCom
10 Jan 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-56511 DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, … https://t.co/bU1Tb09zwi
@CVEnew
10 Jan 2025
289 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dataease:dataease:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7335184A-8414-470A-98CB-6500DC6EE35E",
"versionEndExcluding": "2.10.4"
}
],
"operator": "OR"
}
]
}
]