CVE-2024-52295: 
Java vulnerability analysis and mitigation

DataEase, an open source data visualization analysis tool, was found to contain a critical vulnerability (CVE-2024-52295) that allows attackers to forge JWT tokens and take over services. The vulnerability was discovered in versions prior to 2.10.2, where the JWT secret was hardcoded in the code along with hardcoded UID and OID values. The issue was disclosed on November 13, 2024, and has been fixed in version 2.10.2 (GitHub Advisory).

The vulnerability stems from the hardcoded JWT secret (83d923c9f1d8fcaa46cae0ed2aaa81b5) in the SubstituleLoginServer class, along with hardcoded user ID (UID=1) and organization ID (OID=1) values. This implementation allows attackers to generate valid JWT tokens by using the known secret to sign tokens with arbitrary expiration times. The vulnerability has received a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

The vulnerability enables attackers to bypass authentication and gain unauthorized access to the system with administrative privileges. Using forged JWT tokens, attackers can access sensitive information and take control of the service. A proof of concept demonstrated the ability to access database configurations on the official demo website using forged tokens (GitHub Advisory).

The vulnerability has been patched in DataEase version 2.10.2. Users running affected versions (2.10.1 and earlier) are strongly recommended to upgrade to version 2.10.2 to address this security issue (GitHub Advisory).