Critical

dtale

Authentication Bypass and Remote Code Execution via Filter Queries

This vulnerability in version 3.10.0 of a data analysis tool allows attackers to bypass authentication and execute arbitrary code on the server by exploiting hardcoded secrets and manipulating filter queries. The issue was identified in the handling of session cookies and filter settings, and it was not specified when it was patched.

Available publicly on Apr 14 2024

9.8

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Credit:

ozelis
Threat Overview

The vulnerability combines an authentication bypass with remote code execution (RCE) by exploiting two separate weaknesses. The first weakness involves a hardcoded SECRET_KEY in the application's Flask configuration, which can be used to forge session cookies if authentication is enabled. The second part of the exploit abuses the application's custom filter queries feature. Even when this feature is disabled for security reasons, attackers can bypass this restriction by directly setting a filter query via an endpoint. This allows the execution of arbitrary code on the server.

Attack Scenario

An attacker first forges a session cookie using the known SECRET_KEY, gaining unauthorized access to the application. They then upload a crafted DataFrame and manipulate the application settings to enable custom filter queries, despite the feature being disabled. By injecting a malicious query, the attacker triggers the execution of arbitrary code on the server.

Who is affected

Any installations of the affected version (3.10.0) with authentication enabled and where an attacker can access the application interface are vulnerable. This includes both public-facing instances and those within protected network environments, assuming the attacker has gained the necessary access.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.