cbcvebase.
CVE-2024-3408
published 2024-06-06

CVE-2024-3408: man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
77.95%
99.5th percentile
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.

Affected

4 ranges
VendorProductVersion rangeFixed in
man-groupdtale>= 0 < 32bd6fb4a63de779ff1e51823a456865ea3cbd1332bd6fb4a63de779ff1e51823a456865ea3cbd13
man-groupdtale0 – 3.10.0
man-groupman-group_dtale>= unspecified < 3.13.13.13.1
mand-tale

Detection & IOCsextracted from sources · hover to see the quote

cookieeyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoibnVjbGVpIn0.aYJDsw.w3AZyplKpvDzuqV5CJIsYdRbKYg
path/dtale/test-filter/
path/dtale/update-settings/
path/dtale/popup/upload
path/dtale/upload
command@pd.core.frame.com.builtins.__import__('os').system('...')
versionD-Tale 3.10.0 - 3.15.1
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS D-Tale Filter Query Command Injection Attempt (CVE-2025-0655)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/dtale/test-filter/"; startswith; fast_pattern; content:"|3f|query|3d|"; within:50; content:"|40|pd.core.frame.com.builtins.__import__|28 27|os|27 29|.system|28 27|"; within:150; reference:url,github.com/rapid7/metasploit-framework/pull/19899; reference:cve,2024-3408; reference:cve,2025-0655; classtype:attempted-admin; sid:2060720; rev:1; metadata:affected_product D_Tale, attack_target Server, tls_state plaintext, created_at 2025_03_10, cve CVE_2025_0655, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_03_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect exploitation attempts by monitoring HTTP GET requests to /dtale/test-filter/ containing the pandas code injection pattern: `@pd.core.frame.com.builtins.__import__('os').system(...)` in the `query` parameter.
  • Monitor for HTTP GET requests to /dtale/update-settings/ with a body or query string containing `enable_custom_filters=true` (URL-encoded: `%22enable_custom_filters%22%3Atrue`), which is the prerequisite step to enable RCE.
  • Flag use of the known forged Flask session cookie value associated with this CVE's PoC exploit: `eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoibnVjbGVpIn0.aYJDsw.w3AZyplKpvDzuqV5CJIsYdRbKYg`.
  • Use Shodan/FOFA queries `title:"D-Tale"` / `title="D-Tale"` to identify exposed D-Tale instances for proactive asset discovery.
  • The exploit follows a 4-step HTTP sequence: (1) GET /dtale/popup/upload to fingerprint version, (2) POST /dtale/upload to create a dataset, (3) GET /dtale/update-settings/ to enable custom filters, (4) GET /dtale/test-filter/ with malicious query payload. Correlate these four requests from the same source IP.
  • ·The hardcoded Flask SECRET_KEY is only exploitable for authentication bypass when authentication is enabled on the D-Tale instance. If auth is disabled, the forged session cookie is unnecessary but RCE via filter injection may still be possible.
  • ·The custom filter RCE vector is exploitable even when `enable_custom_filters` is NOT enabled by default, because the /update-settings endpoint can be abused to toggle it on at runtime.
  • ·CVE-2025-0655 is a related but distinct bypass that leverages the same /test-filter RCE primitive; the Metasploit module and Snort rule reference both CVEs. Detections covering the filter injection pattern will catch both.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.