CVE-2024-21642

D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.
Configurations

Configuration 1 (hide)

cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*

History

18 Jan 2024, 20:15

Type Values Removed Values Added
First Time Man
Man d-tale
CPE cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:*
References () https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets - () https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets - Product
References () https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 - () https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 - Patch, Vendor Advisory
References () https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 - () https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 - Patch
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

05 Jan 2024, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-01-05 22:15

Updated : 2024-02-28 20:54


NVD link : CVE-2024-21642

Mitre link : CVE-2024-21642

CVE.ORG link : CVE-2024-21642


JSON object : View

Products Affected

man

  • d-tale
CWE
CWE-918

Server-Side Request Forgery (SSRF)