Описание
D-Tale allows Remote Code Execution through the Custom Filter Input
Impact
Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server.
Patches
Users should upgrade to version 3.16.1 where the update-settings endpoint blocks the ability for users to update the enable_custom_filters flag. You can find out more information on how to turn that flag on here
Workarounds
The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.
References
See "Custom Filter" documentation
Пакеты
dtale
< 3.16.1
3.16.1
Связанные уязвимости
D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.