7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-8862

GHSA ID

GHSA-fg5m-m723-7mv6

EPSS Score

0.6537%

CWE

CWE-74

Published

9/16/2024

Updated

9/20/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-8862

CVE-2024-8862: D-Tale Command Execution Vulnerability

D-Tale is the combination of a Flask back-end and a React front-end to bring you an easy way to view & analyze Pandas data structures. In dtale\views.py, under the route @dtale.route("/chart-data/<data_id>"), the query parameters from the request are directly passed into run_query for execution. And the run_query function calls proceed without performing any processing or sanitization of the query parameter. As a result, the query is directly used in the df.query method for data retrieval. Tthe engine used is python, which allows executing the query expression ans leading to a command execution vulnerability.

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-8862

GHSA ID

GHSA-fg5m-m723-7mv6

EPSS Score

0.6537%

CWE

CWE-74

Published

9/16/2024

Updated

9/20/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dtale	pip	< 3.14.1	3.14.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key points: 1) In views.py's get_chart_data route handler, the 'query' parameter is extracted from untrusted HTTP requests and passed to run_query without validation. 2) run_query executes this input via pandas' query() method using the inherently unsafe 'python' engine. The GitHub patch adds a security gate (enable_custom_filters check) in get_chart_data, confirming these were the vulnerable entry points. The CWE-74 classification and commit diff both indicate improper neutralization of injection vectors in these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*-T*l* is t** *om*in*tion o* * *l*sk ***k-*n* *n* * R***t *ront-*n* to *rin* you *n **sy w*y to vi*w & *n*lyz* P*n**s **t* stru*tur*s. In *t*l*\vi*ws.py, un**r t** rout* @*t*l*.rout*("/***rt-**t*/<**t*_i*>"), t** qu*ry p*r*m*t*rs *rom t** r*qu*st *r*

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *) In vi*ws.py's **t_***rt_**t* rout* **n*l*r, t** 'qu*ry' p*r*m*t*r is *xtr**t** *rom untrust** *TTP r*qu*sts *n* p*ss** to run_qu*ry wit*out v*li**tion. *) run_qu*ry *x**ut*s t*is input vi* p*n**s' qu*ry

7.3

Basic Information

Concerned about an active attack path?

CVE-2024-8862: D-Tale Command Execution Vulnerability

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI