CVE-2024-21642 Information

Description

D-Tale is a visualizer for Pandas data structures. Users hosting versions D-Tale prior to 3.9.0 publicly can be vulnerable to server-side request forgery (SSRF) allowing attackers to access files on the server. Users should upgrade to version 3.9.0 where the Load From the Web input is turned off by default. The only workaround for versions earlier than 3.9.0 is to only host D-Tale to trusted users.

Reference

https://github.com/man-group/dtale/security/advisories/GHSA-7hfx-h3j3-rwq4 https://github.com/man-group/dtale/commit/954f6be1a06ff8629ead2c85c6e3f8e2196b3df2 https://github.com/man-group/dtale?tab=readme-ov-file#load-data–sample-datasets