logo
Vulnerability feed
Contributors
About
Blog
CONTRIBUTE

Vulnerability

warn

CVE-2024-56511

Reference to the description:

https://nvd.nist.gov/vuln/detail/CVE-2024-56511

Description:
DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which can be bypassed and cause the risk of unauthorized access. In the io.dataease.auth.filter.TokenFilter class, ”request.getRequestURI“ is used to obtain the request URL, and it is passed to the "WhitelistUtils.match" method to determine whether the URL request is an interface that does not require authentication. The "match" method filters semicolons, but this is not enough. When users set "server.servlet.context-path" when deploying products, there is still a risk of being bypassed, which can be bypassed by any whitelist prefix /geo/../context-path/. The vulnerability has been fixed in v2.10.4.
Last updated date:
02/20/2025
Type:
exploit
Confidence:
HIGH
Date of publishing:
02/20/2025
Reference url to background

https://github.com/dataease/dataease/security/advisories/GHSA-9f69-p73j-m73x

Vulnerability FeedContributorsAboutBlog

@inTheWild

©2025

Privacy Policy