GHSA-fg5m-m723-7mv6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fg5m-m723-7mv6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-fg5m-m723-7mv6/GHSA-fg5m-m723-7mv6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fg5m-m723-7mv6
- Aliases
- Published
- 2024-09-16T14:37:27Z
- Modified
- 2024-09-20T20:12:31.719110Z
- Severity
-
- 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
- Summary
- D-Tale Command Execution Vulnerability
- Details
-
D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\views.py, under the route @dtale.route("/chart-data/<data_id>"), the query parameters from the request are directly passed into runquery for execution. And the runquery function calls proceed without performing any processing or sanitization of the query parameter. As a result, the query is directly used in the df.query method for data retrieval. Tthe engine used is
python, which allows executing the query expression ans leading to a command execution vulnerability. - Database specific
{ "nvd_published_at": "2024-09-14T20:15:11Z", "cwe_ids": [ "CWE-74" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-20T19:50:07Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-8862
- https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8
- https://github.com/man-group/dtale
- https://rumbling-slice-eb0.notion.site/Unauthenticated-Remote-Command-Execution-via-Panda-df-query-9dc40f0477ee4b65806de7921876c222?pvs=4
- https://vuldb.com/?ctiid.277499
- https://vuldb.com/?id.277499
- https://vuldb.com/?submit.403200
Affected packages
PyPI / dtale
Package
- Name
- dtale
- View open source insights on deps.dev
- Purl
- pkg:pypi/dtale
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.14.1
Affected versions
1.*
1.0.0
1.1.1
1.2.0
1.3.7
1.4.1
1.5.1
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.8.0
1.8.1
1.8.3
1.8.4
1.8.6
1.8.7
1.8.8
1.8.9
1.8.10
1.8.11
1.8.12
1.8.13
1.8.14
1.8.15
1.8.16
1.8.17
1.8.18
1.8.19
1.9.0
1.9.1
1.9.2
1.10.0
1.11.0
1.12.1
1.13.0
1.14.1
1.15.2
1.16.0
1.17.0
1.18.2
1.19.2
1.20.0
1.21.1
1.22.0
1.22.1
1.23.0
1.24.0
1.25.0
1.26.0
1.27.0
1.28.0
1.28.1
1.29.0
1.29.1
1.30.0
1.31.0
1.32.0
1.32.1
1.33.0
1.33.1
1.34.0
1.35.0
1.36.0
1.37.0
1.37.1
1.38.0
1.39.0
1.40.0
1.40.1
1.40.2
1.41.0
1.41.1
1.42.0
1.42.1
1.43.0
1.44.0
1.44.1
1.45.0
1.46.0
1.47.0
1.48.0
1.49.0
1.50.0
1.50.1
1.51.0
1.52.0
1.53.0
1.54.0
1.54.1
1.55.0
1.56.0
1.57.0
1.58.1
1.58.2
1.58.3
1.59.0
1.59.1
1.60.1
1.60.2
1.61.0
1.61.1
2.*
2.0.0
2.1.0
2.1.2
2.2.0
2.3.0
2.4.0
2.5.1
2.6.0
2.7.1
2.8.0
2.8.1
2.9.0
2.9.1
2.10.0
2.11.0
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.14.0
2.14.1
2.15.0
2.15.2
2.16.0
3.*
3.0.0
3.1.0
3.1.6
3.1.7
3.2.0
3.3.0
3.4.0
3.5.0
3.6.0
3.7.0
3.8.0
3.8.1
3.9.0
3.10.0
3.11.0
3.12.0
3.13.0
3.13.1
3.14.0