CVE-2024-21642

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-21642
D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 Patch
https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 Patch Vendor Advisory
https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets Product
https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 Patch
https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 Patch Vendor Advisory
https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*
History

21 Nov 2024, 08:54

Type Values Removed Values Added
References () https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 - Patch () https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 - Patch
References () https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 - Patch, Vendor Advisory () https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 - Patch, Vendor Advisory
References () https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets - Product () https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets - Product

18 Jan 2024, 20:15

Type Values Removed Values Added
References () https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 - () https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 - Patch
References () https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 - () https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 - Patch, Vendor Advisory
References () https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets - () https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets - Product
First Time Man d-tale
Man
CPE cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*

08 Jan 2024, 12:02

Type Values Removed Values Added
Summary
  • (es) D-Tale es un visualizador de estructuras de datos de Pandas. Los usuarios que alojan públicamente versiones de D-Tale anteriores a la 3.9.0 pueden ser vulnerables a server-side request forgery (SSRF), lo que permite a los atacantes acceder a los archivos del servidor. Los usuarios deben actualizar a la versión 3.9.0, donde la entrada "Cargar desde la Web" está desactivada de forma predeterminada. La único workaround para versiones anteriores a la 3.9.0 es alojar D-Tale únicamente para usuarios confiables.

05 Jan 2024, 22:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-01-05 22:15

Updated : 2024-11-21 08:54

NVD link : CVE-2024-21642

Mitre link : CVE-2024-21642

CVE.ORG link : CVE-2024-21642

JSON object : View

Products Affected

man

  • d-tale
CWE
CWE-918

Server-Side Request Forgery (SSRF)