CVE-2024-55890
published 2024-12-13CVE-2024-55890: D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing…
PriorityP182medium6.9CVSS 4.0
AVNACLATNPRNUINVCNVINVANSCLSILSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
1.06%
60.4th percentile
D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| man-group | dtale | < 3.16.1 | 3.16.1 |
| man-group | dtale | >= 0 < 3.16.1 | 3.16.1 |
CVSS provenance
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
D-Tale allows Remote Code Execution through the Custom Filter Input
ghsa·2024-12-13
CVE-2024-55890 [MEDIUM] CWE-79 D-Tale allows Remote Code Execution through the Custom Filter Input
D-Tale allows Remote Code Execution through the Custom Filter Input
### Impact
Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.
### Patches
Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. You can find out more information on how to turn that flag on [here](https://github.com/man-group/dtale#custom-filter)
### Workarounds
The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
### References
See "Custom Filter" [documentation](https://github.com/man-group/dtale#custom-filter)
OSV
D-Tale allows Remote Code Execution through the Custom Filter Input
osv·2024-12-13
CVE-2024-55890 [MEDIUM] D-Tale allows Remote Code Execution through the Custom Filter Input
D-Tale allows Remote Code Execution through the Custom Filter Input
### Impact
Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.
### Patches
Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. You can find out more information on how to turn that flag on [here](https://github.com/man-group/dtale#custom-filter)
### Workarounds
The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
### References
See "Custom Filter" [documentation](https://github.com/man-group/dtale#custom-filter)
VulnCheck
D-Tale Custom Filter Input 'update-settings' Remote Code Execution
vulncheck·2024·CVSS 6.9
CVE-2024-55890 [MEDIUM] D-Tale Custom Filter Input 'update-settings' Remote Code Execution
D-Tale Custom Filter Input 'update-settings' Remote Code Execution
D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
Affected: man d-tale
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2024-55890&date=2
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-12-13
Published
Exploited in the wild