D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF), allowing attackers to access files on the server. Users should upgrade to version 3.9.0, where the `Load From the Web` input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.
References
Configurations
History
18 Jan 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
First Time |
Man
Man d-tale |
|
CPE | cpe:2.3:a:man:d-tale:*:*:*:*:*:*:*:* | |
References | () https://github.com/man-group/dtale?tab=readme-ov-file#load-data--sample-datasets - Product | |
References | () https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 - Patch, Vendor Advisory | |
References | () https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 - Patch | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
05 Jan 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-05 22:15
Updated : 2024-02-28 20:54
NVD link : CVE-2024-21642
Mitre link : CVE-2024-21642
CVE.ORG link : CVE-2024-21642
JSON object : View
Products Affected
man
- d-tale
CWE
CWE-918
Server-Side Request Forgery (SSRF)