CVE-2024-29890 in DataLens
Summary
by MITRE • 03/29/2024
DataLens is a business intelligence and data visualization system. A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. The problem was fixed in the datalens-ui version `0.1449.0`. Restricting access to the API for creating or modifying charts (`/charts/api/charts/v1/`) would mitigate the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 04/10/2025
The vulnerability identified as CVE-2024-29890 affects DataLens, a business intelligence and data visualization platform that enables organizations to create interactive dashboards and charts from various data sources. This system serves as a critical component in enterprise data analysis environments where users rely on visual representations of complex datasets for decision-making processes. The vulnerability resides in the chart creation functionality of the DataLens UI, specifically within the API endpoints responsible for managing chart configurations and visualizations. The flaw represents a significant security risk as it allows unauthorized users to inject and execute arbitrary javascript code within the application's sandboxed environment, potentially compromising the entire system.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization within the chart creation process. When users submit requests to create or modify charts through the `/charts/api/charts/v1/` endpoint, the system fails to properly validate or sanitize user-provided parameters that define chart types and configurations. This weakness enables attackers to craft specially formatted requests that include malicious javascript code within chart definitions. The system then stores these crafted chart configurations in an unprotected sandbox environment where the malicious code executes automatically during subsequent requests to those specific charts. This represents a classic server-side code injection vulnerability that operates within the application's trusted execution environment, bypassing normal security controls that would typically prevent arbitrary code execution.
The operational impact of this vulnerability extends beyond simple code execution, as it creates a persistent backdoor within the DataLens environment. Once successfully exploited, attackers can maintain access through subsequent chart requests without requiring additional authentication or re-exploitation. The sandboxed execution environment provides limited protection against malicious activities, as the javascript code can access the application's resources and potentially exfiltrate sensitive data from the visualization platform. This vulnerability directly violates security principles outlined in the CWE (Common Weakness Enumeration) catalog under CWE-94, which addresses "Improper Control of Generation of Code ('Code Injection')" and aligns with ATT&CK techniques categorized under T1059.007 for "Command and Scripting Interpreter: JavaScript" and T1566 for "Phishing". The implications are particularly severe in enterprise environments where DataLens might contain sensitive business intelligence, financial data, or operational metrics that could be compromised through this attack vector.
Mitigation strategies for CVE-2024-29890 should focus on immediate access restrictions combined with proper code sanitization measures. The primary recommended approach involves restricting API access to the chart creation and modification endpoints through authentication controls, network segmentation, and role-based access controls that limit which users can create or modify chart configurations. Organizations should implement comprehensive input validation that strips or escapes javascript code from user-provided chart parameters before storage, ensuring that only safe and validated chart configurations are accepted. Additionally, implementing proper output encoding and content security policies within the application's sandboxed execution environment can prevent malicious code from executing even if it manages to bypass initial validation. The vendor has addressed this issue in version 0.1449.0 of datalens-ui through enhanced input sanitization and stricter validation of chart parameters. Organizations should also conduct thorough security audits of their DataLens installations to identify and remediate any similar vulnerabilities in related components, while implementing monitoring solutions to detect anomalous chart creation patterns that might indicate exploitation attempts.