CVE-2024-8862
HIGH7.3EPSS 1.6%D-Tale Command Execution Vulnerability
發布日:2024/9/16修改日:2024/9/20
描述
D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\views.py, under the route @dtale.route("/chart-data/<data_id>"), the query parameters from the request are directly passed into run_query for execution. And the run_query function calls proceed without performing any processing or sanitization of the query parameter. As a result, the query is directly used in the df.query method for data retrieval. Tthe engine used is `python`, which allows executing the query expression ans leading to a command execution vulnerability.
受影響套件(1)
- PyPI/dtalefrom 0, < 3.14.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
參考連結(7)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-8862
- PATCHhttps://github.com/man-group/dtale
- WEBhttps://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8
- WEBhttps://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Panda-df-query-9dc40f0477ee4b65806de7921876c222?pvs=4
- WEBhttps://vuldb.com/?ctiid.277499
- WEBhttps://vuldb.com/?id.277499
- WEBhttps://vuldb.com/?submit.403200