D-Tale Command Execution Vulnerability

GHSA-fg5m-m723-7mv6 · CVE-2024-8862

Published Sep 16, 2024 · Modified Sep 20, 2024

Description

D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\views.py, under the route @dtale.route("/chart-data/"), the query parameters from the request are directly passed into run_query for execution. And the run_query function calls proceed without performing any processing or sanitization of the query parameter. As a result, the query is directly used in the df.query method for data retrieval. Tthe engine used is python, which allows executing the query expression ans leading to a command execution vulnerability.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-8862
WEB https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8
PACKAGE https://github.com/man-group/dtale
WEB https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Panda-df-query-9dc40f0477ee4b65806de7921876c222?pvs=4
WEB https://vuldb.com/?ctiid.277499
WEB https://vuldb.com/?id.277499
WEB https://vuldb.com/?submit.403200

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes