D-Tale server-side request forgery through Web uploads
CVE-2024-21642

7.5HIGH

Key Information:

Vendor

Man-group

Status
Dtale
Vendor
CVE Published:
5 January 2024

What is CVE-2024-21642?

D-Tale, a visualizer for Pandas data structures, contains a serious security vulnerability that exposes versions prior to 3.9.0 to potential server-side request forgery (SSRF) attacks. This flaw allows attackers to gain unauthorized access to files stored on the server, compromising the integrity and confidentiality of sensitive data. To mitigate risks, upgrading to version 3.9.0 is essential, as this release disables the Load From the Web feature by default, limiting exposure to such attacks. Users still operating older versions are strongly advised to restrict access exclusively to trusted users to prevent exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

dtale < 3.9.0

References

https://github.com/man-group/dtale/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/man-group/dtale/commit/954f6be1a06ff86...
x_refsource_MISC
https://github.com/man-group/dtale?tab=readme-ov-file#loa...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.