CVE-2024-21642
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the Load From the Web input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| man-group | dtale | < 3.9.0 | affected |
Weaknesses
- CWE-918: CWE-918: Server-Side Request Forgery (SSRF)
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4
- https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2
- https://github.com/man-group/dtale?tab=readme-ov-file#load-data–sample-datasets
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4
- https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2
- https://github.com/man-group/dtale?tab=readme-ov-file#load-data–sample-datasets
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.