CVE-2024-56511: 
Java vulnerability analysis and mitigation

DataEase, an open source data visualization analysis tool, was found to contain a critical authentication bypass vulnerability (CVE-2024-56511) in versions prior to 2.10.4. The vulnerability was discovered in the io.dataease.auth.filter.TokenFilter class, which could be exploited to bypass authentication mechanisms and gain unauthorized access to the system. This critical security flaw was disclosed on January 10, 2025, and received a CVSS v4.0 base score of 9.3 (Critical) (GitHub Advisory, Security Online).

The vulnerability exists in the TokenFilter class's authentication mechanism where 'request.getRequestURI' is used to obtain the request URL. This URL is then passed to the 'WhitelistUtils.match' method to determine if authentication is required. While the match method includes semicolon filtering, this protection proves insufficient when users configure custom 'server.servlet.context-path' settings during deployment. The vulnerability received a CVSS v3.1 base score of 9.8 and a CVSS v4.0 score of 9.3, both indicating critical severity levels (NVD, GitHub Advisory).

If exploited, this vulnerability allows attackers to bypass authentication mechanisms and gain unauthorized access to protected resources. This could potentially lead to data breaches and compromised business operations in organizations using DataEase for their business intelligence and data visualization needs (Security Online).

The vulnerability has been patched in DataEase version 2.10.4. Organizations using affected versions (≤ 2.10.3) are strongly urged to upgrade to version 2.10.4 immediately to address this security risk (GitHub Advisory, Security Online).