Man-Group Dtale Version 3.10.0 Vulnerable to Authentication Bypass and Remote Code Execution
CVE-2024-3408
9.8CRITICAL
Key Information:
- Vendor
- Man-group
- Status
- Man-group/dtale
- Vendor
- CVE Published:
- 6 June 2024
Summary
D-Tale version 3.10.0 exhibits vulnerability due to inadequate input validation leading to an authentication bypass and remote code execution (RCE). A hardcoded 'SECRET_KEY' within the Flask configuration allows adversaries to create forged session cookies when authentication is present. Furthermore, the application does not properly restrict custom filter queries, granting malicious users the ability to perform arbitrary code execution on the server. This occurs even with the 'enable_custom_filters' option disabled, allowing attacks to exploit the '/update-settings' endpoint without sufficient safeguards.
Affected Version(s)
man-group/dtale < 3.13.1
References
CVSS V3.1
Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database