PyPI: dtale
CVE-2024-45595
Safety vulnerability ID: SFTY-20240910-51587
Safety legacy ID: pyup.io-73185
D-Tale affected versions potentially exposed a security vulnerability by processing user-supplied queries without restrictions. This could allow malicious actors to craft queries leading to unauthorized data access or manipulation. The patch introduces a feature flag, "enable_custom_filters", which, when disabled, prevents processing of custom queries, significantly reducing the attack surface. Users are advised to update to the latest version and carefully manage this new flag, enabling custom filters only when necessary. Organizations should review any existing deployments, ensure proper configuration of the feature flag, and consider disabling custom filters in sensitive environments.
Overview
D-Tale vulnerable to Remote Code Execution through the Query input on Chart Builder
Advisory
D-Tale affected versions potentially exposed a security vulnerability by processing user-supplied queries without restrictions. This could allow malicious actors to craft queries leading to unauthorized data access or manipulation. The patch introduces a feature flag, "enable_custom_filters", which, when disabled, prevents processing of custom queries, significantly reducing the attack surface. Users are advised to update to the latest version and carefully manage this new flag, enabling custom filters only when necessary. Organizations should review any existing deployments, ensure proper configuration of the feature flag, and consider disabling custom filters in sensitive environments.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240910-51587/CVE-2024-45595
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45595
- https://github.com/advisories/GHSA-pw44-4h99-wqff
- https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8
- https://github.com/man-group/dtale/security/advisories/GHSA-pw44-4h99-wqff
- https://nvd.nist.gov/vuln/detail/CVE-2024-45595
- https://github.com/man-group/dtale/commit/b6e30969390520d1400b55acbb13e5487b8472e8
- https://github.com/man-group/dtale#custom-filter
- https://github.com/advisories/GHSA-pw44-4h99-wqff
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more