CVE-2024-56511
Published: 10 January 2025
Summary
CVE-2024-56511 is a critical-severity Authentication Bypass by Alternate Name (CWE-289) vulnerability in Dataease Dataease. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating flaws in authentication filters, such as improper URL whitelist matching allowing path traversal bypasses, directly prevents exploitation of this CVE by applying patches like upgrading to DataEase v2.10.4.
Enforcing approved authorizations in access control mechanisms like TokenFilter ensures manipulated request URIs cannot bypass authentication checks.
Validating request URIs for path traversal and normalization issues in whitelist matching prevents crafted paths like /geo/../context-path/ from evading authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass via path manipulation in public-facing web app directly enables remote unauthenticated exploitation of the application.
NVD Description
DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which can be bypassed and cause the risk of unauthorized access. In the io.dataease.auth.filter.TokenFilter class, ”request.getRequestURI“ is…
more
used to obtain the request URL, and it is passed to the "WhitelistUtils.match" method to determine whether the URL request is an interface that does not require authentication. The "match" method filters semicolons, but this is not enough. When users set "server.servlet.context-path" when deploying products, there is still a risk of being bypassed, which can be bypassed by any whitelist prefix /geo/../context-path/. The vulnerability has been fixed in v2.10.4.
Deeper analysisAI
CVE-2024-56511 is an authentication bypass vulnerability in DataEase, an open source data visualization analysis tool. The flaw affects versions prior to 2.10.4 and resides in the io.dataease.auth.filter.TokenFilter class. This class uses request.getRequestURI to obtain the request URL, which is then passed to the WhitelistUtils.match method to check if the URL requires authentication. While the match method filters semicolons, it is insufficient when users configure server.servlet.context-path during deployment, allowing bypass via crafted paths such as /geo/../context-path/.
The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with no prerequisites for exploitation over the network. Remote attackers without privileges can exploit it by sending requests with manipulated paths that evade the whitelist check, gaining unauthorized access to protected interfaces and potentially compromising confidentiality, integrity, and availability of the application.
The issue has been addressed in DataEase version 2.10.4. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/dataease/dataease/security/advisories/GHSA-9f69-p73j-m73x.
Details
- CWE(s)