FKIE_CVE-2024-3408

Vulnerability from fkie_nvd - Published: 2024-06-06 19:16 - Updated: 2024-11-21 09:29
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.
References
security@huntr.devhttps://github.com/man-group/dtale/commit/32bd6fb4a63de779ff1e51823a456865ea3cbd13
security@huntr.devhttps://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91Exploit, Third Party Advisory
Impacted products
Vendor Product Version
man d-tale 3.10.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:man:d-tale:3.10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "70791772-1BB6-4BEE-A4ED-5DD62532E3C3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server."
    },
    {
      "lang": "es",
      "value": "man-group/dtale versi\u00f3n 3.10.0 es vulnerable a una omisi\u00f3n de autenticaci\u00f3n y ejecuci\u00f3n remota de c\u00f3digo (RCE) debido a una validaci\u00f3n de entrada incorrecta. La vulnerabilidad surge de una `SECRET_KEY` codificada en la configuraci\u00f3n del matraz, lo que permite a los atacantes falsificar una cookie de sesi\u00f3n si la autenticaci\u00f3n est\u00e1 habilitada. Adem\u00e1s, la aplicaci\u00f3n no puede restringir adecuadamente las consultas de filtro personalizado, lo que permite a los atacantes ejecutar c\u00f3digo arbitrario en el servidor evitando la restricci\u00f3n en el endpoint `/update-settings`, incluso cuando `enable_custom_filters` no est\u00e1 habilitado. Esta vulnerabilidad permite a los atacantes eludir los mecanismos de autenticaci\u00f3n y ejecutar c\u00f3digo remoto en el servidor."
    }
  ],
  "id": "CVE-2024-3408",
  "lastModified": "2024-11-21T09:29:32.273",
  "metrics": {
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security@huntr.dev",
        "type": "Secondary"
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-06-06T19:16:01.890",
  "references": [
    {
      "source": "security@huntr.dev",
      "url": "https://github.com/man-group/dtale/commit/32bd6fb4a63de779ff1e51823a456865ea3cbd13"
    },
    {
      "source": "security@huntr.dev",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91"
    }
  ],
  "sourceIdentifier": "security@huntr.dev",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "security@huntr.dev",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.