Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-46985

CVE-2024-46985: DataEase XXE Vulnerability

CVE-2024-46985 is an XML external entity injection flaw in DataEase that enables attackers to perform intranet detection and read sensitive files. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2024-46985 Overview

CVE-2024-46985 is an XML External Entity (XXE) injection vulnerability in DataEase, an open source data visualization analysis tool. The flaw exists in the static resource upload interface of DataEase versions prior to 2.10.1. An attacker can craft a malicious XML payload to perform intranet detection and read local files from the server. The vulnerability is exploitable over the network without authentication or user interaction. Project maintainers fixed the issue in version 2.10.1.

Critical Impact

Unauthenticated network attackers can exfiltrate local files and probe internal network resources by submitting crafted XML to the static resource upload interface [CWE-611].

Affected Products

  • DataEase versions prior to 2.10.1
  • Vendor: dataease
  • Component: dataease:dataease

Discovery Timeline

  • 2024-09-23 - CVE-2024-46985 published to NVD
  • 2024-09-23 - GitHub Security Advisory GHSA-4m9p-7xg6-f4mm published
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-46985

Vulnerability Analysis

The vulnerability resides in the DataEase static resource upload interface, which accepts XML input. The underlying XML parser processes external entity declarations without restrictions. An attacker submits an XML document containing a DOCTYPE declaration that references an external entity, and the server resolves that entity during parsing.

This behavior enables two primary attack outcomes. First, the parser can be coerced into reading arbitrary local files accessible to the DataEase process. Second, the parser can be directed to issue outbound requests to internal hosts, allowing the attacker to enumerate services reachable from the DataEase server. The vulnerability is classified under [CWE-611] (Improper Restriction of XML External Entity Reference).

Root Cause

The root cause is an insecurely configured XML parser in the static resource upload handler. The parser does not disable external entity resolution or DTD processing, which violates secure XML processing guidance. Any XML document submitted to the endpoint is parsed with default settings that trust embedded entity references.

Attack Vector

The attack vector is network-based. An unauthenticated attacker sends a POST request containing a malicious XML payload to the static resource upload endpoint of a vulnerable DataEase instance. The payload defines an external entity that points to a local file (for example file:///etc/passwd) or an internal URL. The parsed response, error message, or out-of-band channel returns the entity content to the attacker. No user interaction is required.

Technical details of the malicious XML structure and the affected endpoint are documented in the GitHub Security Advisory GHSA-4m9p-7xg6-f4mm.

Detection Methods for CVE-2024-46985

Indicators of Compromise

  • HTTP requests to DataEase static resource upload endpoints containing <!DOCTYPE or <!ENTITY declarations in the request body.
  • Outbound DNS or HTTP connections initiated by the DataEase Java process to attacker-controlled domains or unexpected internal hosts.
  • Application logs showing XML parsing of uploaded files referencing file://, http://, or ftp:// URI schemes.

Detection Strategies

  • Inspect web traffic to DataEase for XML payloads that include external entity definitions, especially on upload endpoints.
  • Correlate process telemetry from the DataEase host with unexpected file reads of sensitive paths such as /etc/passwd, /etc/shadow, or application configuration files.
  • Monitor for outbound network connections from the DataEase server to non-business destinations that follow inbound upload requests.

Monitoring Recommendations

  • Enable verbose logging on the DataEase application server and forward logs to a centralized SIEM for retention and analysis.
  • Alert on inbound HTTP requests whose body contains XML doctype patterns targeting DataEase URIs.
  • Track outbound connection patterns from DataEase to detect server-side request forgery behavior triggered by XXE.

How to Mitigate CVE-2024-46985

Immediate Actions Required

  • Upgrade DataEase to version 2.10.1 or later, which contains the official fix.
  • Restrict network access to the DataEase static resource upload interface so only trusted users can reach it.
  • Audit recent application logs for evidence of XML payloads containing entity declarations submitted to upload endpoints.

Patch Information

The maintainers released the fix in DataEase v2.10.1. The patch hardens the XML parser used by the static resource upload interface to reject external entity resolution. Full details are available in the DataEase GitHub Security Advisory.

Workarounds

  • Place DataEase behind a web application firewall and block requests containing <!DOCTYPE or <!ENTITY patterns until patching is complete.
  • Apply egress filtering on the DataEase host to prevent the application from reaching arbitrary internal or external destinations.
  • Restrict file system permissions of the DataEase service account to limit which files an XXE read attempt could access.
bash
# Example egress filter limiting DataEase outbound traffic to required dependencies
iptables -A OUTPUT -m owner --uid-owner dataease -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner dataease -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner dataease -d 192.168.0.0/16 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.