CVE-2024-3408 - OpenCVE

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91

History

No history.

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-06-06T18:54:43.713Z

Updated: 2024-08-01T20:12:07.312Z

Reserved: 2024-04-05T19:26:41.533Z

Link: CVE-2024-3408

Vulnrichment

Updated: 2024-08-01T20:12:07.312Z

NVD

Status : Awaiting Analysis

Published: 2024-06-06T19:16:01.890

Modified: 2024-06-07T14:56:05.647

Link: CVE-2024-3408

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3408", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-04-05T19:26:41.533Z", "datePublished": "2024-06-06T18:54:43.713Z", "dateUpdated": "2024-08-01T20:12:07.312Z"}, "containers": {"cna": {"title": "Authentication Bypass and RCE in man-group/dtale", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:54:43.713Z"}, "descriptions": [{"lang": "en", "value": "man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server."}], "affected": [{"vendor": "man-group", "product": "man-group/dtale", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-20 Improper Input Validation", "cweId": "CWE-20"}]}], "source": {"advisory": "57a06666-ff85-4577-af19-f3dfb7b02f91", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "man-group", "product": "dtale", "cpes": ["cpe:2.3:a:man-group:dtale:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.10.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-06T19:31:56.326871Z", "id": "CVE-2024-3408", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T19:34:27.320Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:07.312Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:12:07.312Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3408", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-06T19:31:56.326871Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:man-group:dtale:*:*:*:*:*:*:*:*"], "vendor": "man-group", "product": "dtale", "versions": [{"status": "affected", "version": "3.10.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-06T19:34:22.163Z"}}], "cna": {"title": "Authentication Bypass and RCE in man-group/dtale", "source": {"advisory": "57a06666-ff85-4577-af19-f3dfb7b02f91", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "man-group", "product": "man-group/dtale", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91"}], "descriptions": [{"lang": "en", "value": "man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-06-06T18:54:43.713Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3408", "state": "PUBLISHED", "dateUpdated": "2024-08-01T20:12:07.312Z", "dateReserved": "2024-04-05T19:26:41.533Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-06-06T18:54:43.713Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server."}, {"lang": "es", "value": "man-group/dtale versi\u00f3n 3.10.0 es vulnerable a una omisi\u00f3n de autenticaci\u00f3n y ejecuci\u00f3n remota de c\u00f3digo (RCE) debido a una validaci\u00f3n de entrada incorrecta. La vulnerabilidad surge de una `SECRET_KEY` codificada en la configuraci\u00f3n del matraz, lo que permite a los atacantes falsificar una cookie de sesi\u00f3n si la autenticaci\u00f3n est\u00e1 habilitada. Adem\u00e1s, la aplicaci\u00f3n no puede restringir adecuadamente las consultas de filtro personalizado, lo que permite a los atacantes ejecutar c\u00f3digo arbitrario en el servidor evitando la restricci\u00f3n en el endpoint `/update-settings`, incluso cuando `enable_custom_filters` no est\u00e1 habilitado. Esta vulnerabilidad permite a los atacantes eludir los mecanismos de autenticaci\u00f3n y ejecutar c\u00f3digo remoto en el servidor."}], "id": "CVE-2024-3408", "lastModified": "2024-06-07T14:56:05.647", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2024-06-06T19:16:01.890", "references": [{"source": "security@huntr.dev", "url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@huntr.dev", "type": "Primary"}]}