D-Tale allows Remote Code Execution through the Custom Filter Input

GHSA-832w-fhmw-w4f4 · CVE-2024-55890

Published Dec 13, 2024 · Modified Dec 13, 2024

Description

Impact

Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.

Patches

Users should upgrade to version 3.16.1 where the update-settings endpoint blocks the ability for users to update the enable_custom_filters flag. You can find out more information on how to turn that flag on here

Workarounds

The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.

References

See "Custom Filter" documentation

References

WEB https://github.com/man-group/dtale/security/advisories/GHSA-832w-fhmw-w4f4
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-55890
WEB https://github.com/man-group/dtale/commit/1e26ed3ca12fe83812b90f12a2b3e5fb0b740f7a
PACKAGE https://github.com/man-group/dtale
WEB https://github.com/man-group/dtale#custom-filter

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes