Authentication Bypass and RCE in man-group/dtale

CVE-2024-3408 affects man-group/dtale version 3.10.0, a web-based visualizer for pandas data structures [1]. The vulnerability combines two flaws: a hardcoded Flask SECRET_KEY (set to 'Dtale') and insufficient input validation on the /update-settings endpoint [2]. Authorized use of a static secret allows attackers to forge valid session cookies if authentication is enabled, effectively bypassing authentication [2].

The exploitation vector does not require prior authentication. An attacker can craft session cookies using the known SECRET_KEY to impersonate any user [2]. Additionally, the application does not properly restrict custom filter queries; by sending specially crafted requests to /update-settings, an attacker can bypass the intended restriction that enable_custom_filters must be enabled, leading to arbitrary code execution on the server [2].

A successful attack can lead to complete compromise of the D-Tale application server. An authenticated (or forged) session, combined with the arbitrary code execution via filter queries, allows an attacker to execute operating system commands, exfiltrate data, or pivot to internal systems [2]. The severity is high, with a CVSS v4.0 base score likely reflecting both authentication bypass and RCE impacts [2].

Mitigation is available in later commits of the dtale project. The fix, visible in commit 32bd6fb [4], replaces the static 'Dtale' secret with a dynamically generated key using build_secret_key() and likely includes additional input validation. Users should upgrade to a patched version immediately [2]. There is no indication this CVE has been added to the CISA Known Exploited Vulnerabilities catalog at the time of publication.