DataEase Authentication Bypass Vulnerability in TokenFilter Class Allowing Unauthorized Access

An authentication bypass vulnerability has been identified in DataEase versions prior to 2.10.4. The issue resides in the TokenFilter class, where the request URI is obtained and checked against a whitelist to determine if authentication is required. However, the filtering method is insufficient, allowing bypasses when the 'server.servlet.context-path' is set. This could be exploited by manipulating the request URL to include certain prefixes, potentially leading to unauthorized access.

Impact

Exploitation of this vulnerability allows for unauthorized access by bypassing authentication mechanisms.

Reproduction

To reproduce this vulnerability, set the 'server.servlet.context-path' to '/demo' in the application.yml file. Then, access the '/de2api/user/info' interface through the normal context path, which will result in a 500 error due to missing token verification. However, if the request is made in a way that bypasses the context path filtering, the interface will return the expected information, demonstrating the authentication bypass.

Remediation

Users are advised to upgrade DataEase to version 2.10.4, where this vulnerability has been fixed.