CVE-2024-55890

Summary

D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the update-settings endpoint blocks the ability for users to update the enable_custom_filters flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.

Affected Software

VendorProductVersion RangeStatus
man-groupdtale< 3.16.1affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References