CVE-2024-55890
EPSS 6.6%D-Tale allows Remote Code Execution through the Custom Filter Input
Published: 12/13/2024Modified: 12/13/2024
Also known as:GHSA-832w-fhmw-w4f4
Description
### Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. ### Patches Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. You can find out more information on how to turn that flag on [here](https://github.com/man-group/dtale#custom-filter) ### Workarounds The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users. ### References See "Custom Filter" [documentation](https://github.com/man-group/dtale#custom-filter)
Affected packages (1)
- PyPI/dtalefrom 0, < 3.16.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-55890
- PATCHhttps://github.com/man-group/dtale
- WEBhttps://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a
- WEBhttps://github.com/man-group/dtale#custom-filter
- WEBhttps://github.com/man-group/dtale/security/advisories/GHSA-832w-fhmw-w4f4