CVE-2024-3408: Authentication Bypass and RCE in man-group/dtale

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2024-3408

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Authentication Bypass and RCE in man-group/dtale

Source: NVD (National Vulnerability Database)

Vulnerability Description

man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

使用硬编码的凭证

Source: NVD (National Vulnerability Database)

Vulnerability Title

D-Tale 输入验证错误漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Man Group D-Tale是Man Group公司的一个pandas数据结构的可视化工具。 D-Tale 存在输入验证错误漏洞，该漏洞源于 flask 配置中的硬编码 SECRET_KEY，如果启用了身份验证，攻击者便可伪造会话 cookie。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
man-group	man-group/dtale	unspecified ~ 3.13.1	-

II. Public POCs for CVE-2024-3408

#	POC Description	Source Link	Shenlong Link
1	Vuln lab for CVE-2024-3408 - D-Tale Authentication Bypass & RCE	https://github.com/flame-11/CVE-2024-3408-dtale	POC Details
2	man-group/dtale 3.10.0 contains an authentication bypass and remote code execution caused by improper input validation and a hardcoded SECRET_KEY in Flask configuration, letting attackers forge session cookies and execute arbitrary code, exploit requires attacker to access the application.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-3408.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2024-3408

Please Login to view more intelligence information

IV. Related Vulnerabilities

Same vendor: man-group

Same weakness: CWE-798

V. Comments for CVE-2024-3408

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2024-3408

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2024-3408

III. Intelligence Information for CVE-2024-3408

IV. Related Vulnerabilities

V. Comments for CVE-2024-3408

Leave a comment