CVE-2024-21642 - OpenCVE

D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Man	D-tale

Configuration 1 [-]

cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2
https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4
https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-01-05T21:11:41.528Z

Updated: 2024-08-01T22:27:35.919Z

Reserved: 2023-12-29T03:00:44.958Z

Link: CVE-2024-21642

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2024-01-05T22:15:43.190

Modified: 2024-01-18T20:15:52.813

Link: CVE-2024-21642

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-21642", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-12-29T03:00:44.958Z", "datePublished": "2024-01-05T21:11:41.528Z", "dateUpdated": "2024-08-01T22:27:35.919Z"}, "containers": {"cna": {"title": "D-Tale server-side request forgery through Web uploads", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"}, {"name": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2", "tags": ["x_refsource_MISC"], "url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"}, {"name": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets", "tags": ["x_refsource_MISC"], "url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"}], "affected": [{"vendor": "man-group", "product": "dtale", "versions": [{"version": "< 3.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-01-05T21:11:41.528Z"}, "descriptions": [{"lang": "en", "value": "D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users."}], "source": {"advisory": "GHSA-7hfx-h3j3-rwq4", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:27:35.919Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"}, {"name": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"}, {"name": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6B55BC0-CB00-4380-9679-A7E86C8D7B12", "versionEndExcluding": "3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users."}, {"lang": "es", "value": "D-Tale es un visualizador de estructuras de datos de Pandas. Los usuarios que alojan p\u00fablicamente versiones de D-Tale anteriores a la 3.9.0 pueden ser vulnerables a server-side request forgery (SSRF), lo que permite a los atacantes acceder a los archivos del servidor. Los usuarios deben actualizar a la versi\u00f3n 3.9.0, donde la entrada \"Cargar desde la Web\" est\u00e1 desactivada de forma predeterminada. La \u00fanico workaround para versiones anteriores a la 3.9.0 es alojar D-Tale \u00fanicamente para usuarios confiables."}], "id": "CVE-2024-21642", "lastModified": "2024-01-18T20:15:52.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2024-01-05T22:15:43.190", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}